gurcu | a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

Resubmissions

10-04-2024 02:56

240410-dff7kacd24 10

10-04-2024 02:56

10-04-2024 02:56

10-04-2024 02:56

09-09-2023 14:35

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2023 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
Size

119KB
MD5

369204590ce91e77109e21a298753522
SHA1

e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256

a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512

bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32
SSDEEP

3072:P56Q4BB1q/hJcq4YZRKsySYSLLx9yLjj6TG6WVt9bm+EFyW43LORzMJS/3:Fha6BuQdwLKTGLt9bmhD4q1Mc

Score

10^/10

gurcu collection discovery spyware stealer

Malware Config

Signatures

Detect Gurcu Stealer V3 payload 3 IoCs

resource	yara_rule
behavioral2/memory/520-0-0x0000020F004F0000-0x0000020F00514000-memory.dmp	family_gurcu_v3
behavioral2/files/0x0007000000023126-8.dat	family_gurcu_v3
behavioral2/files/0x0007000000023126-9.dat	family_gurcu_v3

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
416	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
932	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4588	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
860	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
416	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
416	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
416	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
Token: SeDebugPrivilege	416	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
416	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 3924	520	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe	82
PID 520 wrote to memory of 3924	520	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe	82
PID 3924 wrote to memory of 2552	3924	cmd.exe	84
PID 3924 wrote to memory of 2552	3924	cmd.exe	84
PID 3924 wrote to memory of 860	3924	cmd.exe	85
PID 3924 wrote to memory of 860	3924	cmd.exe	85
PID 3924 wrote to memory of 4588	3924	cmd.exe	90
PID 3924 wrote to memory of 4588	3924	cmd.exe	90
PID 3924 wrote to memory of 416	3924	cmd.exe	91
PID 3924 wrote to memory of 416	3924	cmd.exe	91
PID 416 wrote to memory of 3852	416	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe	94
PID 416 wrote to memory of 3852	416	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe	94
PID 416 wrote to memory of 932	416	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe	97
PID 416 wrote to memory of 932	416	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe

C:\Users\Admin\AppData\Local\Temp\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2552
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:860
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4588
- - C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
    "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:416
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpC786.tmp" -C "C:\Users\Admin\AppData\Local\84tnjh4449"
      4⤵
      PID:3852
  - - C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
      "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-certs

Filesize
18KB

MD5
7e824aaf94959bc4f7f5657edd7d254c

SHA1
bb249c6f10611379a5c15e82aeee1bafd618bc07

SHA256
9f7d11548022ddcd34686bf6c9466128a2b0e2139de56684e31a1144a0da0ebd

SHA512
6b82a9404217150aedf571fba0d97a34f615cf41cd9d77076d047c4a0cd787ef0d89469d6e0a5741d464bfcfe2e63113f057c81e48db6d6ec0f73ee655307351

Download Submit
C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
84a6d4d9f22f12937bf2df64129a7b10

SHA1
7dc9b18245c85b69b1f78de404ec25d49685467b

SHA256
4ba491e297ce2cabc25a277bfe2ac345f7f89910be0e2faad4e4a15cec770b10

SHA512
bb72bfe782338ef7cf70e977100f13abbe1a3d952fbdac180dd0ba6406fadf4f2ca9c59da8eb99827deb7aeead0db180867200c50ec27b9a4df5b8fa085e2842

Download Submit
C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdescs.new

Filesize
12.4MB

MD5
f08dabaaf10c3afe18fda9d1b4bafd10

SHA1
ac1f2f5698e18bce0ea7c6cd236a32e8987081dc

SHA256
59c0b9482716f88711477593568f2a0e8ce56bf2c317afa690c27edf48025b27

SHA512
34e017919b41a784b3c0106d536acc458b9f774851b1caa3cb3813d06df7e7dd4c47863f5e8c5c864af67863aa801d0aea6644f01d6798c38e5d51c11bea60e1

Download Submit
C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdescs.new

Filesize
7.6MB

MD5
fa8ec79abb456c14a9b9bfd5d1f74749

SHA1
c72331aaa1037daa436f8b850006b196d5e874da

SHA256
e505e548f6719bbe9efd095f8249dce411e0d06e807254b5bc4fdc9cd094fcde

SHA512
d13ca91cf3321045abc2cfc90722b07286d1dceb1a3a688b491adf8e69d1ad4166846868272bd5bfe25a0aa7022b5ee5b1d1230a16280b0af5e92e7acb392a64

Download Submit
C:\Users\Admin\AppData\Local\84tnjh4449\host\hostname

Filesize
64B

MD5
d4a5d5bbb530dbe0c0e620b5cf2594f7

SHA1
98c17d596a6222c4e570cab8aed25f2b049171e6

SHA256
bdc827ea0388f3da7538768b64bfa02f8c1d4b4ae047c45c7972f62073cac66e

SHA512
bba7822c6c946449f808d9969ddfbaedaa83c0dfc01607ddcb610fdbe963c593d67c5dacc5a773a82a311387957e3a65cc9b524f1b4981ca0844b29ab70e2b3e

Download Submit
C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt

Filesize
218B

MD5
15a9b3f559a79afbec82c0549359d593

SHA1
b9dd2e7944c24320576bd69d12920c757bdac071

SHA256
0b888878dd8f3939a03ec4030f6e2e075e60376bd27561ec9183904c19ba4251

SHA512
6e41c0dc370d5c8848d121d8c72a3446feae36d65b86f1b90e5ca7e09743111febf67f0dd3b1697c797fe087709a13ad9a129e95cbc8ec1b412226deb7fc8a69

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe

Filesize
119KB

MD5
369204590ce91e77109e21a298753522

SHA1
e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

SHA256
a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

SHA512
bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe

Filesize
119KB

MD5
369204590ce91e77109e21a298753522

SHA1
e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

SHA256
a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

SHA512
bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe.log

Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC786.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
memory/416-13-0x0000027156CC0000-0x0000027156CD0000-memory.dmp

Filesize
64KB

Download
memory/416-11-0x00007FFAF76F0000-0x00007FFAF81B1000-memory.dmp

Filesize
10.8MB

Download
memory/416-46-0x00007FFAF76F0000-0x00007FFAF81B1000-memory.dmp

Filesize
10.8MB

Download
memory/416-57-0x0000027156CC0000-0x0000027156CD0000-memory.dmp

Filesize
64KB

Download
memory/520-0-0x0000020F004F0000-0x0000020F00514000-memory.dmp

Filesize
144KB

Download
memory/520-6-0x00007FFAF87F0000-0x00007FFAF92B1000-memory.dmp

Filesize
10.8MB

Download
memory/520-2-0x0000020F1A9D0000-0x0000020F1A9E0000-memory.dmp

Filesize
64KB

Download
memory/520-1-0x00007FFAF87F0000-0x00007FFAF92B1000-memory.dmp

Filesize
10.8MB

Download