gurcu | c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

General

Target

x19a4f9f3d16fcc9779ba8ea79bf7.exe
Size

392KB
MD5

2299a17350433284e58bd0fcc10edf41
SHA1

d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256

c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512

123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1
SSDEEP

6144:5cJGLvLE5hu6Me646G0D1ecme1x9b31v4n:uUvLr6k9b5ecmed1v4

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6193093056:AAHzyNGUGS9aUG6CCx6ENLoXpCFLzEQywIQ/sendMessage?chat_id=1098292643

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Executes dropped EXE 2 IoCs

pid	Process
2768	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2168	tor.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1012	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2604	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2768	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3648	4944	x19a4f9f3d16fcc9779ba8ea79bf7.exe	81
PID 4944 wrote to memory of 3648	4944	x19a4f9f3d16fcc9779ba8ea79bf7.exe	81
PID 3648 wrote to memory of 4676	3648	cmd.exe	83
PID 3648 wrote to memory of 4676	3648	cmd.exe	83
PID 3648 wrote to memory of 2604	3648	cmd.exe	84
PID 3648 wrote to memory of 2604	3648	cmd.exe	84
PID 3648 wrote to memory of 1012	3648	cmd.exe	85
PID 3648 wrote to memory of 1012	3648	cmd.exe	85
PID 3648 wrote to memory of 2768	3648	cmd.exe	86
PID 3648 wrote to memory of 2768	3648	cmd.exe	86
PID 2768 wrote to memory of 4756	2768	x19a4f9f3d16fcc9779ba8ea79bf7.exe	87
PID 2768 wrote to memory of 4756	2768	x19a4f9f3d16fcc9779ba8ea79bf7.exe	87
PID 2768 wrote to memory of 2168	2768	x19a4f9f3d16fcc9779ba8ea79bf7.exe	89
PID 2768 wrote to memory of 2168	2768	x19a4f9f3d16fcc9779ba8ea79bf7.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe
"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4676
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2604
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1012
- - C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
    "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:2768
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp9664.tmp" -C "C:\Users\Admin\AppData\Local\xtioxntk7k"
      4⤵
      PID:4756
  - - C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe
      "C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x19a4f9f3d16fcc9779ba8ea79bf7.exe.log

Filesize
847B

MD5
486ebddc86ea8b3e965d390d22283a23

SHA1
eaffc047f067084867e8575c576a9ec60e094ba8

SHA256
50a57273ecb794e53b0622eb841341e2643c11f53fa47356e6e754ab2268171d

SHA512
0a50ba02250b38355a6f4fb94e40c61258a74031d9aea7cdf675f3e068f39ec0748ecf292aaf2f94b1963b9d66516ee79aa6c552617048e248774af0ff07189d

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

Filesize
392KB

MD5
2299a17350433284e58bd0fcc10edf41

SHA1
d477f1cd55365db00ca77cc5459afabe1ffc80b3

SHA256
c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

SHA512
123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9664.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\host\hostname

Filesize
64B

MD5
abd480046d79d75c69f8c3376754d40b

SHA1
f8f89e78d54ccd44a2dd7c7403b8baa427339417

SHA256
2b89777fe64106c82ac66e4485405f8191deddbcc0ed7dc7ae52efc9271c0377

SHA512
a3f3f08492e9c48fb0a00262f03a34f3a95f3606650cb4edb8bd47fc3df995ac0d184d4ecae718925616ebfdd56cadf6dc43d73b7e81bc5219f269b49ae18598

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt

Filesize
218B

MD5
53bd2ff460d4c3fb3c787f25625b9741

SHA1
9ae44ff71af5776ee22d412c0b42d39b9fc44171

SHA256
cb7254e44d9f0ec9a269b21b60156b29b131aa4e502b9c5a331a737359f0528e

SHA512
42569e629cd14cf5fc9d5a00bbd7531ed08ac782fa7165410de6e96b4ca46d4760bc143ffb73ad405bd67e0a42b0ac58665cdc2b9329b17aa7fe7b97d31cd27c

Download Submit
memory/2768-11-0x00007FFE95A20000-0x00007FFE964E2000-memory.dmp

Filesize
10.8MB

Download
memory/2768-12-0x000002927B4B0000-0x000002927B4C0000-memory.dmp

Filesize
64KB

Download
memory/4944-0-0x000001F16B6C0000-0x000001F16B728000-memory.dmp

Filesize
416KB

Download
memory/4944-1-0x00007FFE95A20000-0x00007FFE964E2000-memory.dmp

Filesize
10.8MB

Download
memory/4944-2-0x000001F16DE60000-0x000001F16DE70000-memory.dmp

Filesize
64KB

Download
memory/4944-6-0x00007FFE95A20000-0x00007FFE964E2000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads