gurcu | b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e

Analysis

max time kernel
127s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2023, 06:27

Target

1232exe.exe
Size

827KB
MD5

a1ce7b26712e1db177d86fa87d09c354
SHA1

23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
SHA256

b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA512

e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4
SSDEEP

12288:IKY7z5GoJiGaq5auxKSjipNvJDK2WSqcIVr4vo1euUTyH2BQMyEp0mpefJ3Lww:G5GoR5amjipNvFK2LXG3VrEuqqJ8w

Score

10^/10

gurcu stealer

Family

gurcu

https://api.telegram.org/bot5948365373:AAHGoShKq2YoPLHuMrakRbVNthbMABFYHUc/sendMessage?chat_id=-1001620069625

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3876 set thread context of 4380	3876	1232exe.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2544	4380	WerFault.exe	90

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	1232exe.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 4380	3876	1232exe.exe	90
PID 3876 wrote to memory of 4380	3876	1232exe.exe	90
PID 3876 wrote to memory of 4380	3876	1232exe.exe	90
PID 3876 wrote to memory of 4380	3876	1232exe.exe	90
PID 3876 wrote to memory of 4380	3876	1232exe.exe	90
PID 3876 wrote to memory of 4380	3876	1232exe.exe	90
PID 3876 wrote to memory of 4380	3876	1232exe.exe	90
PID 3876 wrote to memory of 4380	3876	1232exe.exe	90

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4380 -ip 4380
1⤵
PID:2692

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1232exe.exe.log

Filesize
1KB

MD5
7cad59aef5a93f093b6ba494f13f796f

SHA1
3cef97b77939bfc06dfd3946fc1a8cd159f67100

SHA256
1e1b444fe2d8772f6709b22b94bb5b0aa7fa590f6a693705d9bf1f2f71267a55

SHA512
8cedd03efec34c6226a01fd6b4831a689be16545ea6b849cd96f775e0722bfefd4b47f3dd8401d2080d341d4319f75995ece60de44352a1f86a2e5dc01e6210b

Download Submit
memory/3876-133-0x0000000000450000-0x0000000000526000-memory.dmp

Filesize
856KB

Download
memory/3876-134-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/3876-135-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/3876-136-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

Filesize
40KB

Download
memory/3876-137-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3876-138-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3876-139-0x0000000008EE0000-0x0000000008F7C000-memory.dmp

Filesize
624KB

Download
memory/4380-140-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4380-143-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download