gurcu | e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

Resubmissions

10-04-2024 02:17

240410-cqs4fafc2v 10

10-04-2024 02:17

10-04-2024 02:17

10-04-2024 02:17

13-05-2023 22:56

Analysis

max time kernel
291s
max time network
304s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10-04-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qsteemp.exe
Size

165KB
MD5

90cd3202af31b431dcc5e47cf3b8c0d7
SHA1

747f68fb8f122241059c219eeeeadac61e8215be
SHA256

e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732
SHA512

b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481
SSDEEP

3072:fV6h5WXwyNUD44ykiQbGjlc/SGvjQtbGTl2MRMc:9AuwMPkhbGRc/T6A

Score

10^/10

gurcu spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6209822134:AAHQxD-CI1YDVcNbXijXHlonsEUgv3dfYtg/sendMessage?chat_id=-1001529292045

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Executes dropped EXE 12 IoCs

pid	Process
3820	qsteemp.exe
5080	tor.exe
2216	qsteemp.exe
496	tor.exe
3508	qsteemp.exe
2112	tor.exe
4216	qsteemp.exe
3520	tor.exe
2120	qsteemp.exe
3328	tor.exe
3404	qsteemp.exe
3936	tor.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3984	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
240	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3820	qsteemp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3820	qsteemp.exe
Token: SeDebugPrivilege	2216	qsteemp.exe
Token: SeDebugPrivilege	3508	qsteemp.exe
Token: SeDebugPrivilege	4216	qsteemp.exe
Token: SeDebugPrivilege	2120	qsteemp.exe
Token: SeDebugPrivilege	3404	qsteemp.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 5060	4700	qsteemp.exe	78
PID 4700 wrote to memory of 5060	4700	qsteemp.exe	78
PID 5060 wrote to memory of 2800	5060	cmd.exe	80
PID 5060 wrote to memory of 2800	5060	cmd.exe	80
PID 5060 wrote to memory of 240	5060	cmd.exe	81
PID 5060 wrote to memory of 240	5060	cmd.exe	81
PID 5060 wrote to memory of 3984	5060	cmd.exe	82
PID 5060 wrote to memory of 3984	5060	cmd.exe	82
PID 5060 wrote to memory of 3820	5060	cmd.exe	83
PID 5060 wrote to memory of 3820	5060	cmd.exe	83
PID 3820 wrote to memory of 4464	3820	qsteemp.exe	84
PID 3820 wrote to memory of 4464	3820	qsteemp.exe	84
PID 3820 wrote to memory of 5080	3820	qsteemp.exe	86
PID 3820 wrote to memory of 5080	3820	qsteemp.exe	86
PID 2216 wrote to memory of 496	2216	qsteemp.exe	89
PID 2216 wrote to memory of 496	2216	qsteemp.exe	89
PID 3508 wrote to memory of 2112	3508	qsteemp.exe	95
PID 3508 wrote to memory of 2112	3508	qsteemp.exe	95
PID 4216 wrote to memory of 3520	4216	qsteemp.exe	100
PID 4216 wrote to memory of 3520	4216	qsteemp.exe	100
PID 2120 wrote to memory of 3328	2120	qsteemp.exe	105
PID 2120 wrote to memory of 3328	2120	qsteemp.exe	105
PID 3404 wrote to memory of 3936	3404	qsteemp.exe	110
PID 3404 wrote to memory of 3936	3404	qsteemp.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\qsteemp.exe
"C:\Users\Admin\AppData\Local\Temp\qsteemp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\qsteemp.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2800
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:240
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3984
- - C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
    "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpA47D.tmp" -C "C:\Users\Admin\AppData\Local\6kfrvwd31o"
      4⤵
      PID:4464
  - - C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
      "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:5080

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:496

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2112

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3520

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3328

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe
  "C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6kfrvwd31o\data\cached-certs

Filesize
18KB

MD5
e9dd1bc6b1429811277d06910ea63f7e

SHA1
a3b4ee7186fa2ada5da1132c947cf69e21f5da80

SHA256
7ad8453bfa20b98f1734fa94a1be7619205dd7e1e65c49972542a684122a6a25

SHA512
5c66a17cab453e28bf7cbf4b8d533e618135539ccb0c863f7e64c94e6df69cf71af2c58b601c3da67fc2ff5973bc1ccda7de43a2d133a9e4eb0096403e8fe4c6

Download Submit
C:\Users\Admin\AppData\Local\6kfrvwd31o\data\cached-microdesc-consensus

Filesize
2.7MB

MD5
a0db8a87f7b723266c8b04255da46b06

SHA1
4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf

SHA256
60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3

SHA512
41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

Download Submit
C:\Users\Admin\AppData\Local\6kfrvwd31o\data\cached-microdescs.new

Filesize
4.6MB

MD5
ec9e2078bea9a6a2252e21ad18e8be49

SHA1
3029bc1b2258774cb89c7564ff7ddcd94d4e2e9d

SHA256
d550c9f5990d8c932d6cdfdc89adbd277cacf4a9f55f61015d2f94fd56d28ac6

SHA512
4c93d9c10f0f3e63952cc6eb8b90d1be47729f2e39f819b89831da8769b2e50c89a671a82c7849b405c9dc82e46805e29d0300e4984a2f47c95bebdea194b32d

Download Submit
C:\Users\Admin\AppData\Local\6kfrvwd31o\host\hostname

Filesize
64B

MD5
ed4de0648295e15a1a538124cff74d85

SHA1
2d2873b23db37d2959b59045c86cee62a02652f4

SHA256
adbc5a1cf29854168d20f3fa133b08c13b7e0bff88ec1c11d29973e6956676d3

SHA512
f43dcf952a5a94e070e6a51177a6a51ad3051eb5a6d42ce7b36bc673336082e3bd4c7d53b5a9eb2c440f12344268b9ec6537e6431246eff67a5f0fa798e1992a

Download Submit
C:\Users\Admin\AppData\Local\6kfrvwd31o\port.dat

Filesize
4B

MD5
123b7f02433572a0a560e620311a469c

SHA1
4d2b62d9c64119cb4313e92b233c7793c63e6302

SHA256
ecf8103662b93ccc41bc42ba074379fedce3688c49093102b9200f0cec473559

SHA512
05f01f411cccb0dc04a275857f80257b853c5a20333289e34c84022585f3a17d5515410549e573179582340d21b70bcd23f0ceab210e5214d214b538f9ff8e46

Download Submit
C:\Users\Admin\AppData\Local\6kfrvwd31o\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\6kfrvwd31o\torrc.txt

Filesize
218B

MD5
e62c3f119a06111da267813be4f71cfb

SHA1
17888dec9a30eee7f72ff849f19becfe10d61202

SHA256
ffc73d8fd2c46a5a8a6eb22fec353f3fecc08469d5361ac4d2930e505b898ea4

SHA512
4f1ac251627e97f07f20414d170fff30a86fb517ddcec66b1d2022c2271811692adf607be3282c498bb2cf68a5c4c5c85c289117fe8feb3a01f2fb7d6311bf6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qsteemp.exe.log

Filesize
1KB

MD5
081b644082c51f2ff0f00087877003b5

SHA1
2eeb0a8a592e5327873f5a6704031c1ff6d0bd31

SHA256
cc427c714517dd0a3c96354869ce1bb300bf4935006fc628ceb28e2f040197ac

SHA512
95621587e55a5f5111aea05cadbaf56429adde2de0c41c9de8e74c03d31116edf72b63d76f65af45e4b14b68fe214926425581f77113d332eb91b0b6a5598eff

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe

Filesize
165KB

MD5
90cd3202af31b431dcc5e47cf3b8c0d7

SHA1
747f68fb8f122241059c219eeeeadac61e8215be

SHA256
e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

SHA512
b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA47D.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
memory/2120-120-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/2120-117-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/2120-118-0x0000017E9A320000-0x0000017E9A330000-memory.dmp

Filesize
64KB

Download
memory/2216-52-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/2216-53-0x000002A7A3B20000-0x000002A7A3B30000-memory.dmp

Filesize
64KB

Download
memory/2216-60-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/3404-128-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/3404-126-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/3508-92-0x00000205693E0000-0x00000205693F0000-memory.dmp

Filesize
64KB

Download
memory/3508-91-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/3508-94-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/3820-62-0x0000022A40910000-0x0000022A40920000-memory.dmp

Filesize
64KB

Download
memory/3820-61-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/3820-11-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/3820-12-0x0000022A40910000-0x0000022A40920000-memory.dmp

Filesize
64KB

Download
memory/4216-108-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/4216-109-0x0000024645D60000-0x0000024645D70000-memory.dmp

Filesize
64KB

Download
memory/4216-111-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/4700-6-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/4700-1-0x00007FFDC4F60000-0x00007FFDC5A22000-memory.dmp

Filesize
10.8MB

Download
memory/4700-2-0x000002D022860000-0x000002D022870000-memory.dmp

Filesize
64KB

Download
memory/4700-0-0x000002D0081C0000-0x000002D0081F0000-memory.dmp

Filesize
192KB

Download