Malware Analysis Report

2024-10-23 19:16

Sample ID 230530-zamcaaca2w
Target 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
Tags
gurcu collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89

Threat Level: Known bad

The file 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer

Gurcu family

Gurcu, WhiteSnake

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Runs ping.exe

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-30 20:30

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-30 20:30

Reported

2023-05-30 20:31

Platform

win10-20230220-en

Max time kernel

6s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe

"C:\Users\Admin\AppData\Local\Temp\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe

"C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 openai.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 66.254.114.41:80 pornhub.com tcp
SK 91.228.166.47:80 eset.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 www.pornhub.org udp
IN 20.207.73.82:80 github.com tcp
IN 20.207.73.82:80 github.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 www.eset.com udp
US 66.254.114.41:443 www.pornhub.org tcp
NL 23.72.252.131:443 www.eset.com tcp
NL 216.58.214.14:80 youtube.com tcp
IN 20.207.73.82:443 github.com tcp
IN 20.207.73.82:443 github.com tcp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 47.166.228.91.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp

Files

memory/3664-119-0x0000022C3AEE0000-0x0000022C3AF3C000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe

MD5 aec814bf30dd191b641feef457a718ce
SHA1 96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512 fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe

MD5 aec814bf30dd191b641feef457a718ce
SHA1 96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512 fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe.log

MD5 a908a7c6e93edeb3e400780b6fe62dde
SHA1 36e2b437f41443f6b41b45b35a0f97b2cd94123d
SHA256 cae801b0499949178298c1c1a083f7c0febb971d262be9c9588437af66c76ef0
SHA512 deb437dcb1440d37bcd61dfa43be05fd01856a1d1e59aa5b2dfa142e9ae584b0577eea024edb99d8e74e3a1b606bb7ae3b4f9cd8eb30813e67dda678b9319cbe

memory/1604-128-0x000001B92BC50000-0x000001B92BC60000-memory.dmp