Malware Analysis Report

2024-10-23 19:16

Sample ID 230726-qr2nvsbh76
Target loader.exe
SHA256 8d647fd3ebb00c9d853eb728ff7cba75b7a089d30f84090e3bc1dc460bdd47f3
Tags
gurcu collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d647fd3ebb00c9d853eb728ff7cba75b7a089d30f84090e3bc1dc460bdd47f3

Threat Level: Known bad

The file loader.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer

Gurcu, WhiteSnake

Gurcu family

Reads user/profile data of web browsers

Checks computer location settings

Deletes itself

Executes dropped EXE

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Program crash

Enumerates physical storage devices

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies system certificate store

outlook_office_path

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-26 13:30

Signatures

Gurcu family

gurcu

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-26 13:30

Reported

2023-07-26 13:33

Platform

win7-20230712-en

Max time kernel

120s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\System32\cmd.exe
PID 1448 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\System32\cmd.exe
PID 1448 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\System32\cmd.exe
PID 1872 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1872 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1872 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1872 wrote to memory of 2252 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1872 wrote to memory of 2252 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1872 wrote to memory of 2252 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1872 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1872 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1872 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1872 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\loader.exe
PID 1872 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\loader.exe
PID 1872 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\loader.exe
PID 2448 wrote to memory of 2996 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\loader.exe
PID 2448 wrote to memory of 2996 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\loader.exe
PID 2448 wrote to memory of 2996 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\loader.exe
PID 2680 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe C:\Windows\system32\WerFault.exe
PID 2680 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe C:\Windows\system32\WerFault.exe
PID 2680 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe C:\Windows\system32\WerFault.exe
PID 2448 wrote to memory of 1176 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\loader.exe
PID 2448 wrote to memory of 1176 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\loader.exe
PID 2448 wrote to memory of 1176 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\loader.exe
PID 1176 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe C:\Windows\system32\WerFault.exe
PID 1176 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe C:\Windows\system32\WerFault.exe
PID 1176 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\loader.exe

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "loader" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\loader.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\loader.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\loader.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "loader" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\loader.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

"C:\Users\Admin\AppData\Local\TeamViewer\loader.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2DB00F75-79A5-4756-933C-011D00475C33} S-1-5-21-1014134971-2480516131-292343513-1000:NYBYVYTJ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2680 -s 4168

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1176 -s 1396

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 pornhub.com udp
NL 216.58.214.14:80 youtube.com tcp
US 140.82.113.3:80 github.com tcp
US 140.82.113.4:80 github.com tcp
US 104.16.156.132:80 blockchain.com tcp
NL 216.58.214.14:80 youtube.com tcp
NL 149.154.167.99:80 telegram.org tcp
DE 159.69.63.226:443 archive.torproject.org tcp
NL 149.154.167.99:80 telegram.org tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.157.132:80 blockchain.com tcp
US 66.254.114.41:80 pornhub.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.113.4:443 github.com tcp
NL 216.58.214.14:443 youtube.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 www.eset.com udp
US 66.254.114.41:443 pornhub.com tcp
US 152.195.19.97:443 www.eset.com tcp
US 140.82.113.3:80 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.3:80 github.com tcp
US 104.16.157.132:80 blockchain.com tcp
US 104.16.157.132:80 blockchain.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 8.8.8.8:53 www.blockchain.com udp
US 8.8.8.8:53 www.pornhub.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 95.101.74.213:80 apps.identrust.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 140.82.113.3:80 github.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 154.61.71.13:80 tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.157.132:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 66.254.114.41:80 www.pornhub.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 154.61.71.13:80 tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 104.16.156.132:80 www.blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:80 telegram.org tcp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 github.com udp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 github.com udp
NL 149.154.167.99:443 telegram.org tcp
US 66.254.114.41:80 www.pornhub.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.114.4:80 github.com tcp
SK 91.228.166.47:80 eset.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
NL 216.58.214.14:443 youtube.com tcp
NL 216.58.214.14:443 youtube.com tcp
US 140.82.113.3:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
NL 149.154.167.99:443 telegram.org tcp
SK 91.228.166.47:80 eset.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 www.eset.com udp
NL 149.154.167.99:443 telegram.org tcp
NL 23.76.204.149:443 www.eset.com tcp
US 140.82.113.3:443 github.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 23.76.204.149:443 www.eset.com tcp
US 140.82.113.3:80 github.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
NL 154.61.71.13:80 tcp
US 140.82.113.3:443 github.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 140.82.113.3:80 github.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 140.82.113.3:80 github.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 140.82.113.3:443 github.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 140.82.113.3:443 github.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 140.82.113.3:443 github.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.156.132:80 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
NL 23.76.204.149:443 www.eset.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp
US 104.16.157.132:443 www.blockchain.com tcp

Files

memory/1448-54-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

memory/1448-55-0x00000000011E0000-0x0000000001248000-memory.dmp

memory/1448-56-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/1448-59-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

MD5 69e3cdc923b668aec4cb405c040565c6
SHA1 6a675ebf6f241e543f7bb50ccc8ead462a427880
SHA256 8d647fd3ebb00c9d853eb728ff7cba75b7a089d30f84090e3bc1dc460bdd47f3
SHA512 5580919f6710fc210f079875eae22a87c85e854b57f59d10fc22680460f370154d7d223a66c9797387e4675a7954ba6f051a34571499481927980eb9ebf07cdb

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

MD5 69e3cdc923b668aec4cb405c040565c6
SHA1 6a675ebf6f241e543f7bb50ccc8ead462a427880
SHA256 8d647fd3ebb00c9d853eb728ff7cba75b7a089d30f84090e3bc1dc460bdd47f3
SHA512 5580919f6710fc210f079875eae22a87c85e854b57f59d10fc22680460f370154d7d223a66c9797387e4675a7954ba6f051a34571499481927980eb9ebf07cdb

memory/2680-63-0x0000000000FB0000-0x0000000001018000-memory.dmp

memory/2680-64-0x000007FEF4DC0000-0x000007FEF57AC000-memory.dmp

memory/2680-65-0x000000001B070000-0x000000001B0F0000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

MD5 69e3cdc923b668aec4cb405c040565c6
SHA1 6a675ebf6f241e543f7bb50ccc8ead462a427880
SHA256 8d647fd3ebb00c9d853eb728ff7cba75b7a089d30f84090e3bc1dc460bdd47f3
SHA512 5580919f6710fc210f079875eae22a87c85e854b57f59d10fc22680460f370154d7d223a66c9797387e4675a7954ba6f051a34571499481927980eb9ebf07cdb

memory/2996-68-0x000007FEF4DC0000-0x000007FEF57AC000-memory.dmp

memory/2996-69-0x000007FEF4DC0000-0x000007FEF57AC000-memory.dmp

memory/2680-70-0x000007FEF4DC0000-0x000007FEF57AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab49C0.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

memory/2680-94-0x000000001B070000-0x000000001B0F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar4A8E.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 302962c2404839a514f898a8c4a3c2f6
SHA1 9f2db34487a0e61c7295e194da1462fb8de1a055
SHA256 c75789c031da6a24c1b50330e851972a77337b5d2d0b7227b455c2e663605ca6
SHA512 2b66268119e24bef502831eb6ff3baa1c455ff1723a1d4a187e5e5446de1ee259073395d44d862e85602eebfd8a9b1ad7af00bbae2d0aa19237fb5ef5ca3e170

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

MD5 69e3cdc923b668aec4cb405c040565c6
SHA1 6a675ebf6f241e543f7bb50ccc8ead462a427880
SHA256 8d647fd3ebb00c9d853eb728ff7cba75b7a089d30f84090e3bc1dc460bdd47f3
SHA512 5580919f6710fc210f079875eae22a87c85e854b57f59d10fc22680460f370154d7d223a66c9797387e4675a7954ba6f051a34571499481927980eb9ebf07cdb

memory/1176-171-0x000007FEF4DC0000-0x000007FEF57AC000-memory.dmp

memory/1176-172-0x000000001B140000-0x000000001B1C0000-memory.dmp

C:\Users\Admin\AppData\Local\jjmzzxbvaf\port.dat

MD5 9407c826d8e3c07ad37cb2d13d1cb641
SHA1 c4e2a9162d51a3df8022e3aae26c054b3b5da46b
SHA256 83e19a9ce479dc064bab4bd50134db14918cc967debd3ad223bb8993c523788d
SHA512 f8ebfa36256b06e3252c201b5586f370323d8fede25ef475ecf7df3b12e8d238569e5e6660329dd2f8ae54d61139e21f141fceaf8d1d2d4af258794882e8f384

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0378c32d92766661ac51354f98268d83
SHA1 1b8a739b91e61bab65659b7e04d71e7242956d02
SHA256 68d0a1a4a2979368fbcc3eb92c5e1e90b3bd864930b320cf3d1bf2f77f855292
SHA512 049e7ac08741f5cc17dc6bf73a485c8c0e78f60da5356d02982dab2973a35d8457ff6b786c6dd218b3afe3c021e71e63cc3bf029a2ef1f09a48cb4560460b3a9

memory/1176-192-0x000007FEF4DC0000-0x000007FEF57AC000-memory.dmp

memory/1176-193-0x000000001B140000-0x000000001B1C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-26 13:30

Reported

2023-07-26 13:33

Platform

win10v2004-20230703-en

Max time kernel

25s

Max time network

81s

Command Line

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\System32\cmd.exe
PID 1432 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\System32\cmd.exe
PID 4476 wrote to memory of 4548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4476 wrote to memory of 4548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4476 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4476 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4476 wrote to memory of 4112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4476 wrote to memory of 4112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4476 wrote to memory of 4300 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\loader.exe
PID 4476 wrote to memory of 4300 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\loader.exe
PID 4300 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe C:\Windows\System32\tar.exe
PID 4300 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe C:\Windows\System32\tar.exe
PID 4300 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe C:\Users\Admin\AppData\Local\jjmzzxbvaf\tor\tor.exe
PID 4300 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\TeamViewer\loader.exe C:\Users\Admin\AppData\Local\jjmzzxbvaf\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\loader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\loader.exe

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "loader" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\loader.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\loader.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\loader.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "loader" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\loader.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

"C:\Users\Admin\AppData\Local\TeamViewer\loader.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpF0F7.tmp" -C "C:\Users\Admin\AppData\Local\jjmzzxbvaf"

C:\Users\Admin\AppData\Local\jjmzzxbvaf\tor\tor.exe

"C:\Users\Admin\AppData\Local\jjmzzxbvaf\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jjmzzxbvaf\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 104.16.157.132:80 blockchain.com tcp
US 104.16.157.132:80 blockchain.com tcp
NL 216.58.214.14:80 youtube.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 www.blockchain.com udp
NL 216.58.214.14:443 youtube.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
NL 216.58.214.14:443 youtube.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 8.8.8.8:53 132.157.16.104.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 132.156.16.104.in-addr.arpa udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 8.8.8.8:53 eset.com udp
SK 91.228.166.47:80 eset.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 8.8.8.8:53 www.eset.com udp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.156.132:443 www.blockchain.com tcp
NL 149.154.167.99:443 tcp
NL 149.154.167.99:443 tcp
US 8.8.8.8:53 udp
US 104.16.156.132:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.113.4:80 github.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 140.82.113.4:80 github.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 140.82.113.4:80 github.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
NL 23.76.204.161:443 www.eset.com tcp
NL 23.76.204.161:443 www.eset.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 140.82.113.4:80 github.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 google.com udp
US 66.254.114.41:80 pornhub.com tcp
US 8.8.8.8:53 4.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 161.204.76.23.in-addr.arpa udp
NL 142.250.179.142:80 google.com tcp
US 66.254.114.41:443 pornhub.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:80 github.com tcp
NL 154.61.71.51:80 tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:80 github.com tcp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 140.82.113.4:443 github.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 140.82.113.4:443 github.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 104.16.156.132:443 www.blockchain.com tcp
US 140.82.113.4:443 github.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 8.8.8.8:53 openai.com udp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 13.107.253.67:80 openai.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 13.107.253.67:443 openai.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 8.8.8.8:53 67.253.107.13.in-addr.arpa udp
CH 109.202.212.1:9001 tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.157.132:80 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 104.16.156.132:443 www.blockchain.com tcp
US 8.8.8.8:53 ip-api.com udp
US 104.16.156.132:443 www.blockchain.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
DE 46.232.250.51:443 tcp
US 8.8.8.8:53 51.250.232.46.in-addr.arpa udp
US 135.148.53.62:443 tcp
US 64.99.198.74:443 tcp
US 172.106.19.126:443 tcp
US 8.8.8.8:53 62.53.148.135.in-addr.arpa udp
US 8.8.8.8:53 126.19.106.172.in-addr.arpa udp
US 8.8.8.8:53 74.198.99.64.in-addr.arpa udp
N/A 127.0.0.1:65098 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp

Files

memory/1432-133-0x000001C0EDF60000-0x000001C0EDFC8000-memory.dmp

memory/1432-134-0x00007FF8C6EE0000-0x00007FF8C79A1000-memory.dmp

memory/1432-137-0x000001C0F05C0000-0x000001C0F05D0000-memory.dmp

memory/1432-139-0x00007FF8C6EE0000-0x00007FF8C79A1000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

MD5 69e3cdc923b668aec4cb405c040565c6
SHA1 6a675ebf6f241e543f7bb50ccc8ead462a427880
SHA256 8d647fd3ebb00c9d853eb728ff7cba75b7a089d30f84090e3bc1dc460bdd47f3
SHA512 5580919f6710fc210f079875eae22a87c85e854b57f59d10fc22680460f370154d7d223a66c9797387e4675a7954ba6f051a34571499481927980eb9ebf07cdb

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

MD5 69e3cdc923b668aec4cb405c040565c6
SHA1 6a675ebf6f241e543f7bb50ccc8ead462a427880
SHA256 8d647fd3ebb00c9d853eb728ff7cba75b7a089d30f84090e3bc1dc460bdd47f3
SHA512 5580919f6710fc210f079875eae22a87c85e854b57f59d10fc22680460f370154d7d223a66c9797387e4675a7954ba6f051a34571499481927980eb9ebf07cdb

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/4300-144-0x00007FF8C5C70000-0x00007FF8C6731000-memory.dmp

memory/4300-145-0x0000021BC3CD0000-0x0000021BC3CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF0F7.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\jjmzzxbvaf\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\jjmzzxbvaf\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\jjmzzxbvaf\torrc.txt

MD5 62b69a4bea21469d9b3b14f427c4bd57
SHA1 7fd2e2c0d665b681f13d6d72e92a83d9e4bf4561
SHA256 a9424283b9982acf790ac26dc7e6f54e663483227fa888be2dd5b06973488bb7
SHA512 3acb0bb9aa1f0acd1529a9d6861bb8d5c3355cdd970feef7fb94b676b36246a4449a2a923ccad8f416439b392f01183028903ded6b7c6d9464a4e2ceab0bdc72

C:\Users\Admin\AppData\Local\jjmzzxbvaf\host\hostname

MD5 23508a382f528048b65d288546544372
SHA1 af454e8806cfda1b686a5ecacf7bcfb19474ff1e
SHA256 4cf03d030d83c082c7f512996db30eed03119573dbbadaead43f5304375ff26a
SHA512 5b1dbe2742db3fc5d407e9a0e7dbceb8373ba0fd9fcf1ba7eadbf6d1a0b5ea09b1d33b773870c3e40c552d803e8eac5856a947cfff195b9553959211da623c31

memory/4300-173-0x00007FF8C5C70000-0x00007FF8C6731000-memory.dmp

C:\Users\Admin\AppData\Local\jjmzzxbvaf\data\cached-microdesc-consensus.tmp

MD5 9c51572e470c337066703261d26f0828
SHA1 f8698e779dbfb6e768a73c283cf105147cfa5f36
SHA256 e69a860ddf121131d36f11b84359753b3c9991c488469345f6f0c6f4640afbf1
SHA512 3ac421923caec92941d7ba150669e1ebd975096263ced3f82e7bce9d80a0bf72f080158d40d8d4afcbd8512cf8d4d83056a981f2a7237dfc1312899dee743390

memory/4300-182-0x0000021BC3CD0000-0x0000021BC3CE0000-memory.dmp

C:\Users\Admin\AppData\Local\jjmzzxbvaf\data\cached-microdescs.new

MD5 db36c2059faa5b3348257610580586c3
SHA1 7144585a14cd234cd4bd3852f8ee77fdb354fdf3
SHA256 cb12e9ef3c02691a043c0a440830f4d9081b2a10f791f8602d5b56279c5a62fa
SHA512 f50efd184a63dd636e32157f9960caf1749d2abbd3d588109c96527be54f64d84a23d4aa93f503332fe5f416ad435f54ad256cb692e8242951ab9b3a4586c548

C:\Users\Admin\AppData\Local\TeamViewer\loader.exe

MD5 69e3cdc923b668aec4cb405c040565c6
SHA1 6a675ebf6f241e543f7bb50ccc8ead462a427880
SHA256 8d647fd3ebb00c9d853eb728ff7cba75b7a089d30f84090e3bc1dc460bdd47f3
SHA512 5580919f6710fc210f079875eae22a87c85e854b57f59d10fc22680460f370154d7d223a66c9797387e4675a7954ba6f051a34571499481927980eb9ebf07cdb

memory/3308-200-0x00007FF8C5C70000-0x00007FF8C6731000-memory.dmp