gurcu | e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

Resubmissions

10-04-2024 02:17

240410-cqs4fafc2v 10

10-04-2024 02:17

10-04-2024 02:17

10-04-2024 02:17

13-05-2023 22:56

Analysis

max time kernel
666s
max time network
1594s
platform
windows10-1703_x64
resource
win10-20240319-en
resource tags

arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qsteemp.exe
Size

165KB
MD5

90cd3202af31b431dcc5e47cf3b8c0d7
SHA1

747f68fb8f122241059c219eeeeadac61e8215be
SHA256

e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732
SHA512

b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481
SSDEEP

3072:fV6h5WXwyNUD44ykiQbGjlc/SGvjQtbGTl2MRMc:9AuwMPkhbGRc/T6A

Score

10^/10

gurcu spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6209822134:AAHQxD-CI1YDVcNbXijXHlonsEUgv3dfYtg/sendMessage?chat_id=-1001529292045

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Executes dropped EXE 2 IoCs

pid	Process
4628	qsteemp.exe
3384	qsteemp.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
12	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4344	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3396	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	qsteemp.exe
Token: SeDebugPrivilege	3384	qsteemp.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 3900	4060	qsteemp.exe	73
PID 4060 wrote to memory of 3900	4060	qsteemp.exe	73
PID 3900 wrote to memory of 4300	3900	cmd.exe	75
PID 3900 wrote to memory of 4300	3900	cmd.exe	75
PID 3900 wrote to memory of 3396	3900	cmd.exe	76
PID 3900 wrote to memory of 3396	3900	cmd.exe	76
PID 3900 wrote to memory of 4344	3900	cmd.exe	77
PID 3900 wrote to memory of 4344	3900	cmd.exe	77
PID 3900 wrote to memory of 4628	3900	cmd.exe	78
PID 3900 wrote to memory of 4628	3900	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\qsteemp.exe
"C:\Users\Admin\AppData\Local\Temp\qsteemp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\qsteemp.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4300
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3396
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4344
- - C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
    "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4628

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6kfrvwd31o\port.dat

Filesize
4B

MD5
d290dc6cabaffa37f5473eb33611607e

SHA1
3ba27d9d05dd2bbdd33e81cdc4b8ab6aa14da0e0

SHA256
49a57aab5a13e0550685844e50e34a6a7f89e0b71af533f02050ed40ffdc74ab

SHA512
a5e4f8b40d50f1bc01d235891e676c89c5bc053213b495f26b999abdb0d45361758d4343ed72adc8e1aa1f77819b5955be57065e775ec47a42f631e0f0a06871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qsteemp.exe.log

Filesize
1KB

MD5
d51a38b0538aafbb39cd4743767cf2a3

SHA1
ec819ad7959110e2244b2978e4a60e4c5e99961d

SHA256
8678df64deb4a7203a8ac3eaa5af8b767111e753385d286f9e1c121d45830e22

SHA512
51ffb0c793f034843cf749716680bb6dd81c840bbe22f6426c8d14ffd62a7b4fab974325aa978e62ba57575b836aff4e00a810688818749021f658b623fd41f2

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe

Filesize
165KB

MD5
90cd3202af31b431dcc5e47cf3b8c0d7

SHA1
747f68fb8f122241059c219eeeeadac61e8215be

SHA256
e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

SHA512
b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481

Download Submit
memory/3384-19-0x0000028E73DB0000-0x0000028E73DC0000-memory.dmp

Filesize
64KB

Download
memory/3384-23-0x0000028E73DB0000-0x0000028E73DC0000-memory.dmp

Filesize
64KB

Download
memory/3384-22-0x00007FFC0A020000-0x00007FFC0AA0C000-memory.dmp

Filesize
9.9MB

Download
memory/3384-18-0x00007FFC0A020000-0x00007FFC0AA0C000-memory.dmp

Filesize
9.9MB

Download
memory/4060-1-0x00007FFC0A020000-0x00007FFC0AA0C000-memory.dmp

Filesize
9.9MB

Download
memory/4060-2-0x00000256B60E0000-0x00000256B60F0000-memory.dmp

Filesize
64KB

Download
memory/4060-6-0x00007FFC0A020000-0x00007FFC0AA0C000-memory.dmp

Filesize
9.9MB

Download
memory/4060-0-0x000002569BB90000-0x000002569BBC0000-memory.dmp

Filesize
192KB

Download
memory/4628-11-0x00007FFC0A020000-0x00007FFC0AA0C000-memory.dmp

Filesize
9.9MB

Download
memory/4628-16-0x000002066ACE0000-0x000002066ACF0000-memory.dmp

Filesize
64KB

Download
memory/4628-15-0x00007FFC0A020000-0x00007FFC0AA0C000-memory.dmp

Filesize
9.9MB

Download
memory/4628-12-0x000002066ACE0000-0x000002066ACF0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads