Resubmissions
10-04-2024 02:45
240410-c88xlscb89 1010-04-2024 02:45
240410-c88a3scb88 1010-04-2024 02:45
240410-c8631scb86 1010-04-2024 02:45
240410-c86ggscb85 1014-10-2023 02:07
231014-cj7cgsba81 10Analysis
-
max time kernel
598s -
max time network
606s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-04-2024 02:45
General
-
Target
I63f8affb2294c837814c33f5446924ba.exe
-
Size
89KB
-
MD5
dfb3936eb972928af9ec106505364786
-
SHA1
06a05bf8d2675ea58e44d3fdc0d9e610be021ca8
-
SHA256
2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93
-
SHA512
e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f
-
SSDEEP
1536:/JVNAuC4/P1xAqm9wRC+IWMVYJGOupb1cus6SQsjhp5cNbMQaZ9bqk4gxmsuZmQ+:fN//HAqm9wRC+IWMVYJGOubXsjL5wvsD
Malware Config
Signatures
-
Detect Gurcu Stealer V3 payload 2 IoCs
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 20 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 30 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe"C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "I63f8affb2294c837814c33f5446924ba" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "I63f8affb2294c837814c33f5446924ba" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe"C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\tar.exe"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp7511.tmp" -C "C:\Users\Admin\AppData\Local\jdm9hu6p1h"4⤵
-
-
C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe"C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"4⤵
- Executes dropped EXE
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1304 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exeC:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe"C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exeC:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe"C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exeC:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe"C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exeC:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe"C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exeC:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe"C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exeC:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe"C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exeC:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe"C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4528 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exeC:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe"C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exeC:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe"C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5dfb3936eb972928af9ec106505364786
SHA106a05bf8d2675ea58e44d3fdc0d9e610be021ca8
SHA2562d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93
SHA512e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f
-
Filesize
1KB
MD5fc1be6f3f52d5c841af91f8fc3f790cb
SHA1ac79b4229e0a0ce378ae22fc6104748c5f234511
SHA2566da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910
SHA5122f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6
-
Filesize
354B
MD5d0136063baf963698e532beb5ca306e8
SHA13973b0fca3dd5733886e0f443b7a06b5bb1b3fd3
SHA256ffff03fb5250533be48b1161217c4468ad1e65087511db32fa15966527352512
SHA512f06a64882556fc88ce4e5a8f6c8763d2e50fc23b3cb0e960a33f47f3314d4830ff135a2c9d2b783dd9af225683c1329d061fb663a5c925a21ffc8db06f218ae1
-
Filesize
472B
MD5f5aaa2175f014809d2f31e9db1a8e34d
SHA1bba4a490c668a37f2461fe3275deaf0102b03060
SHA2568d84b754a5801870d664b94f448f7aacc57b72fe689e6b898ac121dac44004b0
SHA51241462d6fec39d16df1156d6a5e930129f3775c5a33f5d56a968308dd5a7071d28bde5cd9fd7e2218b8d33f29041872ddc7d1463e7e25563aa6266ce0172511f0
-
Filesize
590B
MD5fea8de2f78177fcd717e9dd6f70d125a
SHA1b46c9e80822105e7ce8adbbb097f20466b91a3c9
SHA256fe6883bd056375f20659862592ed90e9cfcc6ed34f703405a2a9d20ccf9a7d10
SHA51248a0eee1c08294ab1410ddec212284b7050b93ece9438159f8eb79623c9df31c19a4769bc030a878f3a6a7720b0264d33ea2c77e6cc423eb4da4496124875d66
-
Filesize
708B
MD59a3f74d49cfa94b6acad17429392694d
SHA1887d52a274ca704b519305d9bbc0abb03b093714
SHA2569c73bc01ae4a4f2229323755c55c5adf7577afbc83163247cca2b9c816230bc3
SHA512d3a3631a7cc45a0833016ad34f6ca7eabd3db2e8037692d0941747a2753280869ed84bfd7f11c53c44b51193f61f7ce8cbeaf0dde528cb715be72ea98a49646c
-
Filesize
826B
MD5ee6886271fb1abb4d32e8bf838077b8e
SHA120b338d20d81bea30020230fb8163d489b9b979b
SHA256162fd16276bc056a565fad0b052a9c232dd479c1553eca6efa0a43bf2aa89106
SHA5126c777c4b29616692cb99f6f1e005950867161250eddb56800fe715fd2d5910f7d239f99c278b6f8b948334818a5477d3c981068b09a725412cd3e818c6da28fb
-
Filesize
944B
MD50aacb722e0d8f5c5b7841875fe4be8c3
SHA1a1f25951a9f73f4c4e6bf9175ff07f5fa542afde
SHA256ba3ba24f199ad597027292effbd84e4f72a5c2d2d582a0ddd959229f1e185ba1
SHA5128850c7a05a413ef371ec0a32a2a93574c190d423cf14b8ea96e9f35151316e0f9e67d1047439f0e2bfb1348ee4f23daaadb6d369ce2954b6f5d974dee2a89648
-
Filesize
1KB
MD502e205357831b96c6f77a44f1b70f48f
SHA1ca9c918af003dd9f9746b01b2a687fb761828a27
SHA2564ad68cdeebe93998610454dcdc70c8abff3687d2a69090178136c9465fe5fe9c
SHA5123d7ffe8ce1044d45650d921c2831c697c2eb838828ae8925c58801d41c891fca738dbce8cf1fe7fcd5a7ad18cb69e010c82fa529baa954a719cf6b2948c0c282
-
Filesize
236B
MD5102193abdb1eb2bb9e37714b6ae8ea5d
SHA1321d9755016b0147e63e3db8f19f28b882750d98
SHA2566e36536616d3363569c943417ecf104d4478f5313bbc35b63f6efc0cf94ddcc9
SHA512a35b6c5d051809f6e532a5ab629a531f180aafc0dc4b525660f1aba75032f1b08bd6ef2da7e305a4884915a3aefb55d9cb6af6f5c9db763f6900d093f13bd670
-
Filesize
13.3MB
MD589d2d5811c1aff539bb355f15f3ddad0
SHA15bb3577c25b6d323d927200c48cd184a3e27c873
SHA256b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA51239e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289
-
Filesize
2.6MB
MD58155dd4a16697830a63d507d2666b2a9
SHA1e07a54b15c905cd1d9d41db3ccde3bade36bcdb4
SHA2566b4f443629c32b632d8ad7bcb17d84da1e4eaec556dccdf98c5e9051cb404fed
SHA5120cb6c3fa12cbe7f8e63c5c73c0665fc2593109801ba318c582c4bd1c14dfd27fff3252c22b9078040e743ec788ad9534856c72ca5e38d992d9cb5aeacf819e6f
-
Filesize
8.2MB
MD54993a9d2ae730d864efaa96d30e77245
SHA1081638b152d2edc53855077e5a01abb055c925cd
SHA256bd2f7028e51d447129ae50a5f0f596e060fe36efe1d3e6dd5b5c9ac1962219b0
SHA512dff206f9b1abcb978d73f759b683c480666e7c296c732fba25625322dff1451e0d6f6c9f5173984d428c4ca7a91c4470ed5bce8c6933b4c138c0e23a956b74e8
-
Filesize
64B
MD58541e0328f3adc4451819b1d9579d8be
SHA1cf3c07d96049684a2bca9cd714718ee7e8a98ed0
SHA256f526b16103897af060521c5b39b564ea75e506760c4952d50c0287ab8f113160
SHA5123a7d649bef6589bf025ca4fa8895f92208fe549919b842b31ab46ac95aa1451f991864fb25958f2b6e1c8f4f85d9520a528d65978bb471434b17924d1e076b46
-
Filesize
4B
MD5d5036c64412973d610202be8dce2b82a
SHA1815077b0cb9cb6adb6416a6f6ffc3164e48a6400
SHA25635a08ecb0a7969b4fbeba80a08f702828fb80abe35dfdfc07da571b6c85fd515
SHA512df9fac7b264fe5f13de600deda9e691d56a8c6cde1ba51419bbed9d8f62c1488e9f5fa198e9960589df9b727fdb47ee9c2ee10d8846351981ab4bc2e6a517275
-
Filesize
7.4MB
MD588590909765350c0d70c6c34b1f31dd2
SHA1129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA25646fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192
-
Filesize
218B
MD5e2be2bdc44a38d2fc331aadfe3acfaee
SHA1c5c05836000abc84f3d6ca69c3baee657865f507
SHA2568056b3f242b76fbc3ac805f5656891bb3c6310f852e838ed35af07124c5414c1
SHA51217c1c37701b9981e91b77406e4b3ae48da6afe6c7c1f3c69e6dc9c371a8a3392b86f34333fbe94456a59949cd0ae43751f40c8340c938fbbd85403e77d73af60
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.4MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB