gurcu | c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

Analysis

max time kernel
25s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2023 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x19a4f9f3d16fcc9779ba8ea79bf7.exe
Size

392KB
MD5

2299a17350433284e58bd0fcc10edf41
SHA1

d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256

c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512

123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1
SSDEEP

6144:5cJGLvLE5hu6Me646G0D1ecme1x9b31v4n:uUvLr6k9b5ecmed1v4

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6193093056:AAHzyNGUGS9aUG6CCx6ENLoXpCFLzEQywIQ/sendMessage?chat_id=1098292643

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Executes dropped EXE 4 IoCs

pid	Process
4428	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4364	tor.exe
1688	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4812	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
153	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2420	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4188	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4428	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4428	x19a4f9f3d16fcc9779ba8ea79bf7.exe
4428	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	4428	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	1688	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4428	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 1008	5040	x19a4f9f3d16fcc9779ba8ea79bf7.exe	86
PID 5040 wrote to memory of 1008	5040	x19a4f9f3d16fcc9779ba8ea79bf7.exe	86
PID 1008 wrote to memory of 2456	1008	cmd.exe	88
PID 1008 wrote to memory of 2456	1008	cmd.exe	88
PID 1008 wrote to memory of 4188	1008	cmd.exe	89
PID 1008 wrote to memory of 4188	1008	cmd.exe	89
PID 1008 wrote to memory of 2420	1008	cmd.exe	91
PID 1008 wrote to memory of 2420	1008	cmd.exe	91
PID 1008 wrote to memory of 4428	1008	cmd.exe	92
PID 1008 wrote to memory of 4428	1008	cmd.exe	92
PID 4428 wrote to memory of 1228	4428	x19a4f9f3d16fcc9779ba8ea79bf7.exe	94
PID 4428 wrote to memory of 1228	4428	x19a4f9f3d16fcc9779ba8ea79bf7.exe	94
PID 4428 wrote to memory of 4364	4428	x19a4f9f3d16fcc9779ba8ea79bf7.exe	96
PID 4428 wrote to memory of 4364	4428	x19a4f9f3d16fcc9779ba8ea79bf7.exe	96
PID 1688 wrote to memory of 4812	1688	x19a4f9f3d16fcc9779ba8ea79bf7.exe	105
PID 1688 wrote to memory of 4812	1688	x19a4f9f3d16fcc9779ba8ea79bf7.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe
"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2456
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4188
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2420
- - C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
    "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:4428
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpB66F.tmp" -C "C:\Users\Admin\AppData\Local\xtioxntk7k"
      4⤵
      PID:1228
  - - C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
      "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:4364

C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
  "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1688 -ip 1688
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

Filesize
392KB

MD5
2299a17350433284e58bd0fcc10edf41

SHA1
d477f1cd55365db00ca77cc5459afabe1ffc80b3

SHA256
c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

SHA512
123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

Filesize
392KB

MD5
2299a17350433284e58bd0fcc10edf41

SHA1
d477f1cd55365db00ca77cc5459afabe1ffc80b3

SHA256
c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

SHA512
123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

Filesize
392KB

MD5
2299a17350433284e58bd0fcc10edf41

SHA1
d477f1cd55365db00ca77cc5459afabe1ffc80b3

SHA256
c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

SHA512
123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB66F.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
66b05e5a36ed21e186b6797987197037

SHA1
5f23d4e7844092521d4881d0cb902db77f134f6d

SHA256
3bcb19e6608f1eba65437093adfb1650a6e3bcea8e947581fd0aabc857046dcd

SHA512
dc05b5ad301ad8a0537a94ae6addf603674dac371ae4311ef3d139024ca7f7b2d6553bb1598aeebae063795f281ee79c68738db84e544aad76ea859ab3812baa

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\data\cached-microdescs.new

Filesize
18.0MB

MD5
d548e1967ffd6bccf122b2e49c33adc7

SHA1
2bce6d111d9de0feb8655f1034f6cf7fb4e6a154

SHA256
79a2f916a0af9030daceea148d19fa4b0e3d85d5e1f05bd9af102dbb27f4bc4b

SHA512
f5bab497c8134851547d6349c62f7207a03401d47d7bbd72a7fea50b71b6d8e54886270ad3fc3e0836b7efdbfb918d17205d3efbe9bd74a5d7e20a04fcbc48f6

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\host\hostname

Filesize
64B

MD5
c0641012e3e2c2194a473cbd6cc12aee

SHA1
23e74513d4ba471db7e66152e9c0ef6e5cc02c70

SHA256
3532a833868ee006368fb1e1688a5643bae92077490b976a3c0fc8eadfe14883

SHA512
d88d20e0ea07ca70fd6b8b7567a4540c7de3b67c48b3d068212144b9ed8c06a03db3672f8b5203988c1360d6ca9576e0e119254604b0bf0a42ced8dd6627aa84

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\port.dat

Filesize
4B

MD5
a7c9585703d275249f30a088cebba0ad

SHA1
c7780966d9736816247a259aa8b61192868561f0

SHA256
2b169d27d9e55e10515caf1114f67aa60ad2c1021a1a43077fc05103b68013aa

SHA512
55532047dac2d4f6291798a4fae9791eb1fabc1b2e0903557577f7f304f14783103ebe028bdfeb8c87dd0734e57f3e6d739f8dd6ced5f82991d5d253aeae24be

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt

Filesize
218B

MD5
c9bab38ab08f9d2a5b7bb3dac7bf11bc

SHA1
f335e2ad7336008b4c9c1c9ae19dd87f7b75d8b3

SHA256
c8373e5e408f240fd68ec98b001d44d2d38db7875a4591ec54a53c9c2bd6d551

SHA512
300f941c6e678e3821c32c6e204b0645e304cfbb004f21c992a0b96cb465e7bd31b081ec9942ca20bd57fde9fb4ce7e83139e76afd006e90b0a8801c0197e393

Download Submit
memory/1688-69-0x0000013E6C160000-0x0000013E6C170000-memory.dmp

Filesize
64KB

Download
memory/1688-56-0x00007FF8A3550000-0x00007FF8A4011000-memory.dmp

Filesize
10.8MB

Download
memory/4428-40-0x00007FF8A3550000-0x00007FF8A4011000-memory.dmp

Filesize
10.8MB

Download
memory/4428-49-0x000001EADCFE0000-0x000001EADCFF0000-memory.dmp

Filesize
64KB

Download
memory/4428-12-0x000001EADCFE0000-0x000001EADCFF0000-memory.dmp

Filesize
64KB

Download
memory/4428-11-0x00007FF8A3550000-0x00007FF8A4011000-memory.dmp

Filesize
10.8MB

Download
memory/5040-0-0x000001E079BF0000-0x000001E079C58000-memory.dmp

Filesize
416KB

Download
memory/5040-1-0x00007FF8A3550000-0x00007FF8A4011000-memory.dmp

Filesize
10.8MB

Download
memory/5040-6-0x00007FF8A3550000-0x00007FF8A4011000-memory.dmp

Filesize
10.8MB

Download
memory/5040-2-0x000001E07C1B0000-0x000001E07C1C0000-memory.dmp

Filesize
64KB

Download