Malware Analysis Report

2024-10-19 06:43

Sample ID 230908-lrpl3sad5t
Target 369204590CE91E77109E21A298753522.exe
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
Tags
gurcu collection spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

Threat Level: Known bad

The file 369204590CE91E77109E21A298753522.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer discovery

Detect Gurcu Stealer V3 payload

Gurcu family

Gurcu, WhiteSnake

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Runs ping.exe

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-08 09:46

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-08 09:46

Reported

2023-09-08 09:48

Platform

win7-20230831-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 2056 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 2056 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 1692 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1692 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1692 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1692 wrote to memory of 2280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1692 wrote to memory of 2280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1692 wrote to memory of 2280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1692 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1692 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1692 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1692 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 1692 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 1692 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2932 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2932 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2932 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2612 wrote to memory of 2928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2612 wrote to memory of 2928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2612 wrote to memory of 2928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2928 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2928 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe
PID 2928 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2932 -s 3060

C:\Windows\system32\taskeng.exe

taskeng.exe {5D8EB511-77CD-44A5-9645-71388058095C} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2928 -s 3136

Network

Country Destination Domain Proto
US 8.8.8.8:53 archive.torproject.org udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2056-0-0x0000000001190000-0x00000000011B4000-memory.dmp

memory/2056-1-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

memory/2056-2-0x000000001ACE0000-0x000000001AD60000-memory.dmp

memory/2056-5-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

memory/2932-9-0x0000000001300000-0x0000000001324000-memory.dmp

memory/2932-10-0x000007FEF4B90000-0x000007FEF557C000-memory.dmp

memory/2932-11-0x000000001B2F0000-0x000000001B370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab53ED.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5509.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76f00ac285f258782317be0e8d041c84
SHA1 cb6eac17017671666baa6e8f5f79d8256b666c69
SHA256 2c761b18173d939b777dc7b65768bc14241269e2c64c91aeec418030edc99c1e
SHA512 b298c1b933b1d202fa56297fa3bd9085f24701e9e5a2270ee48ecc1729ed94225293cc39e631f53a4af375c0e8102ccf2bf19ebdbd33a1906abe0dcf74d37c7e

memory/2932-86-0x000007FEF4B90000-0x000007FEF557C000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\84tnjh4449\port.dat

MD5 33b9c7c18ec3acc3747c41e70e9bb3d6
SHA1 fce7b95fb26969af8afd58102677dd04da9a9f09
SHA256 a818957b3a1f9857b721ff8ff9127e971302607b483b24a8d7b82ca8c2edff35
SHA512 dc242acec23a862f7672d0637926897e19d108ce568e7e0b2effbb4baa5a611f9c89e2386c7d5913c8f876fc60266846c2d6c1d98d9cf50738d013fb49d1b6df

memory/2928-89-0x000007FEF4B90000-0x000007FEF557C000-memory.dmp

memory/2928-90-0x000000001B1D0000-0x000000001B250000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2da9236aae5ad538a5f0338bdaf76bc
SHA1 48bbae732d72524a287a93350c07525c1c534966
SHA256 04ce788de210bc919c18fbdbb12dccd9624c5240e3a898b6f0d16aca4e1ffb5c
SHA512 97cbd8fcb1a2dd70dc557f047d9e299e508c9f490e060bcf1fd3a2397cc2b850ae8a3a7184278db087468dbd371b342412829e55d19e88c27aa15b95339aa455

C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt

MD5 1d2c0986ba3c3af924ad4b8776a45190
SHA1 e4199810598c592fb4304eb37cf90d2ce2065a11
SHA256 8f8cc850ea7e227ba100ad943c4c9000857e39d66a0aa6a245f599e6868d04c2
SHA512 275f4de2999bc947be2a179aab2ed6e33d7591d3464d3ba43d3ca1b6fc0ada3aae2090f39dc3620bfcfa57824e26aba7b401145137f87115bbd4c3589a291524

memory/2928-111-0x000007FEF4B90000-0x000007FEF557C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-08 09:46

Reported

2023-09-08 09:48

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 896 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 896 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe C:\Windows\System32\cmd.exe
PID 4712 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4712 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4712 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4712 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4712 wrote to memory of 748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4712 wrote to memory of 748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4712 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 4712 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
PID 2864 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\System32\tar.exe
PID 2864 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Windows\System32\tar.exe
PID 2864 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
PID 2864 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

"C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp7DBB.tmp" -C "C:\Users\Admin\AppData\Local\84tnjh4449"

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

"C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 archive.torproject.org udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
DE 5.45.102.119:9100 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
DE 188.68.40.46:9100 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:51387 tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
BR 191.252.111.55:443 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/896-0-0x000002363AEC0000-0x000002363AEE4000-memory.dmp

memory/896-4-0x00007FF920C60000-0x00007FF921721000-memory.dmp

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\369204590CE91E77109E21A298753522.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

MD5 369204590ce91e77109e21a298753522
SHA1 e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256 a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512 bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

memory/2864-9-0x00007FF91FB10000-0x00007FF9205D1000-memory.dmp

memory/2864-10-0x0000016029410000-0x0000016029420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7DBB.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt

MD5 d6a66200b5601d00eec6178552031d19
SHA1 3538d7d610299ba3b7730bc946d26e63195b3790
SHA256 7e508deb112f877c9ec23a6816bd3461b82537bf87ddf1bcd71ce5661b2869ce
SHA512 e70ffa19fc3e4061c21b2a3d82292598d87878092fb3d0f3362f5ecfeada169a585acdea00ab0ba0ccb3bb6314323040ddd515537b0a5f35e5570f1719eebc48

memory/896-37-0x00007FF920C60000-0x00007FF921721000-memory.dmp

C:\Users\Admin\AppData\Local\84tnjh4449\host\hostname

MD5 381c6897bd6379528e8b5669c92f2dac
SHA1 9ad21365ba61bde0eba634616b5f0122c949fb18
SHA256 6e1397ecd92d5c99739e7317e55f2825537fe267333c48150ab041d5b217e290
SHA512 16ce8ee97726a5661ceff38c9cf275660e6b0678b02b84f161c001b27dcb18be5d666d1a280db4aa610e26bc32c4f133cb0f1c1df7be94f390816876882b8f19

memory/2864-40-0x00007FF91FB10000-0x00007FF9205D1000-memory.dmp

memory/2864-41-0x0000016029410000-0x0000016029420000-memory.dmp