gurcu | e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

Resubmissions

10-04-2024 02:17

240410-cqs4fafc2v 10

10-04-2024 02:17

10-04-2024 02:17

10-04-2024 02:17

13-05-2023 22:56

Analysis

max time kernel
192s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qsteemp.exe
Size

165KB
MD5

90cd3202af31b431dcc5e47cf3b8c0d7
SHA1

747f68fb8f122241059c219eeeeadac61e8215be
SHA256

e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732
SHA512

b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481
SSDEEP

3072:fV6h5WXwyNUD44ykiQbGjlc/SGvjQtbGTl2MRMc:9AuwMPkhbGRc/T6A

Score

10^/10

gurcu spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6209822134:AAHQxD-CI1YDVcNbXijXHlonsEUgv3dfYtg/sendMessage?chat_id=-1001529292045

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Executes dropped EXE 2 IoCs

pid	Process
552	qsteemp.exe
5080	qsteemp.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4060	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3520	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	qsteemp.exe
Token: SeDebugPrivilege	5080	qsteemp.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4072	4068	qsteemp.exe	75
PID 4068 wrote to memory of 4072	4068	qsteemp.exe	75
PID 4072 wrote to memory of 3744	4072	cmd.exe	77
PID 4072 wrote to memory of 3744	4072	cmd.exe	77
PID 4072 wrote to memory of 3520	4072	cmd.exe	78
PID 4072 wrote to memory of 3520	4072	cmd.exe	78
PID 4072 wrote to memory of 4060	4072	cmd.exe	79
PID 4072 wrote to memory of 4060	4072	cmd.exe	79
PID 4072 wrote to memory of 552	4072	cmd.exe	80
PID 4072 wrote to memory of 552	4072	cmd.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\qsteemp.exe
"C:\Users\Admin\AppData\Local\Temp\qsteemp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\qsteemp.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3744
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3520
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4060
- - C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
    "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:552

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6kfrvwd31o\port.dat

Filesize
4B

MD5
8c5ebe834bb61a2e5ab8ef38f8d940f3

SHA1
72f98241eafcb4012285d1afdf46b12021f3cf10

SHA256
e5b82b15c2c265c2733d7e4a1d9b3207c6b1de55d69e26e8c4b631b53299164f

SHA512
54b14a45d632bca7d9d30f715b3e616914f427b4f1bb1418cddfc0a247a0e309c28b4cc6ae2a67cffd7238081d22cc9952bfcd1d9780ffb429aa4506d469aeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qsteemp.exe.log

Filesize
1KB

MD5
d51a38b0538aafbb39cd4743767cf2a3

SHA1
ec819ad7959110e2244b2978e4a60e4c5e99961d

SHA256
8678df64deb4a7203a8ac3eaa5af8b767111e753385d286f9e1c121d45830e22

SHA512
51ffb0c793f034843cf749716680bb6dd81c840bbe22f6426c8d14ffd62a7b4fab974325aa978e62ba57575b836aff4e00a810688818749021f658b623fd41f2

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe

Filesize
165KB

MD5
90cd3202af31b431dcc5e47cf3b8c0d7

SHA1
747f68fb8f122241059c219eeeeadac61e8215be

SHA256
e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

SHA512
b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481

Download Submit
memory/552-12-0x0000029F7B550000-0x0000029F7B560000-memory.dmp

Filesize
64KB

Download
memory/552-21-0x0000029F7B550000-0x0000029F7B560000-memory.dmp

Filesize
64KB

Download
memory/552-20-0x00007FF8C8AF0000-0x00007FF8C94DC000-memory.dmp

Filesize
9.9MB

Download
memory/552-11-0x00007FF8C8AF0000-0x00007FF8C94DC000-memory.dmp

Filesize
9.9MB

Download
memory/4068-6-0x00007FF8C8AF0000-0x00007FF8C94DC000-memory.dmp

Filesize
9.9MB

Download
memory/4068-0-0x00000224F76C0000-0x00000224F76F0000-memory.dmp

Filesize
192KB

Download
memory/4068-2-0x00000224F94A0000-0x00000224F94B0000-memory.dmp

Filesize
64KB

Download
memory/4068-1-0x00007FF8C8AF0000-0x00007FF8C94DC000-memory.dmp

Filesize
9.9MB

Download
memory/5080-16-0x00007FF8C8AF0000-0x00007FF8C94DC000-memory.dmp

Filesize
9.9MB

Download
memory/5080-17-0x000001C64A0A0000-0x000001C64A0B0000-memory.dmp

Filesize
64KB

Download
memory/5080-22-0x00007FF8C8AF0000-0x00007FF8C94DC000-memory.dmp

Filesize
9.9MB

Download
memory/5080-23-0x000001C64A0A0000-0x000001C64A0B0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads