gurcu | 67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

Resubmissions

10-04-2024 02:29

240410-cy22baca54 10

10-04-2024 02:29

10-04-2024 02:29

10-04-2024 02:29

14-10-2023 01:29

Analysis

max time kernel
3s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D5f0a5d17c7420fe49da676.exe
Size

250KB
MD5

24a8408510d9b173b9dc078574261d28
SHA1

2ecfc788687aadbd9cc42ea311210f7cde5fa064
SHA256

67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869
SHA512

de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9
SSDEEP

6144:PY6+lYxyWoekN4B2We2TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tjQ9bMXq:PxpmWHgf8Y6/Qp1nLiDKhFX

Score

10^/10

gurcu stealer

Malware Config

Signatures

Detect Gurcu Stealer V3 payload 5 IoCs

resource	yara_rule
behavioral2/memory/2072-0-0x00000153B3210000-0x00000153B3254000-memory.dmp	family_gurcu_v3
behavioral2/files/0x0007000000023238-8.dat	family_gurcu_v3
behavioral2/files/0x0007000000023238-9.dat	family_gurcu_v3
behavioral2/memory/3672-12-0x0000020BAE460000-0x0000020BAE470000-memory.dmp	family_gurcu_v3
behavioral2/files/0x0007000000023238-15.dat	family_gurcu_v3

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4360	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1384	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	D5f0a5d17c7420fe49da676.exe

C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe
"C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"
  2⤵
  PID:2748
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2356
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1384
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4360
- - C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
    "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"
    3⤵
    PID:3672
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpDEC7.tmp" -C "C:\Users\Admin\AppData\Local\6rfb5r0uff"
      4⤵
      PID:3500

C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
1⤵
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe

Filesize
250KB

MD5
24a8408510d9b173b9dc078574261d28

SHA1
2ecfc788687aadbd9cc42ea311210f7cde5fa064

SHA256
67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

SHA512
de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe

Filesize
250KB

MD5
24a8408510d9b173b9dc078574261d28

SHA1
2ecfc788687aadbd9cc42ea311210f7cde5fa064

SHA256
67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

SHA512
de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe

Filesize
250KB

MD5
24a8408510d9b173b9dc078574261d28

SHA1
2ecfc788687aadbd9cc42ea311210f7cde5fa064

SHA256
67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

SHA512
de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\D5f0a5d17c7420fe49da676.exe.log

Filesize
1KB

MD5
fc1be6f3f52d5c841af91f8fc3f790cb

SHA1
ac79b4229e0a0ce378ae22fc6104748c5f234511

SHA256
6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

SHA512
2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDEC7.tmp

Filesize
1024KB

MD5
58a738d9eedeccb7a11cb644ee0ce691

SHA1
b63e462ba672da1fbe9c89760e739d6daebcfeea

SHA256
6393d1e5914f90df6f7e60577f56bae5084228e529d536c644ae342f65af68ad

SHA512
fdb2d40ad8b42cae007ec045b16c572019892797a60a72aafdad92ba71521a4e49713e8a94e2fcc3c98a93dfed98ce1aa79fb786886e0d7644059e458b40eeb3

Download Submit
memory/2072-0-0x00000153B3210000-0x00000153B3254000-memory.dmp

Filesize
272KB

Download
memory/2072-1-0x00007FFD7F620000-0x00007FFD800E1000-memory.dmp

Filesize
10.8MB

Download
memory/2072-2-0x00000153B3670000-0x00000153B3680000-memory.dmp

Filesize
64KB

Download
memory/2072-6-0x00007FFD7F620000-0x00007FFD800E1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-11-0x00007FFD7EBA0000-0x00007FFD7F661000-memory.dmp

Filesize
10.8MB

Download
memory/3672-12-0x0000020BAE460000-0x0000020BAE470000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads