gurcu | e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

Resubmissions

10-04-2024 02:17

240410-cqs4fafc2v 10

10-04-2024 02:17

10-04-2024 02:17

10-04-2024 02:17

13-05-2023 22:56

Analysis

max time kernel
316s
max time network
875s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qsteemp.exe
Size

165KB
MD5

90cd3202af31b431dcc5e47cf3b8c0d7
SHA1

747f68fb8f122241059c219eeeeadac61e8215be
SHA256

e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732
SHA512

b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481
SSDEEP

3072:fV6h5WXwyNUD44ykiQbGjlc/SGvjQtbGTl2MRMc:9AuwMPkhbGRc/T6A

Score

10^/10

gurcu spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6209822134:AAHQxD-CI1YDVcNbXijXHlonsEUgv3dfYtg/sendMessage?chat_id=-1001529292045

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Executes dropped EXE 2 IoCs

pid	Process
3612	qsteemp.exe
4128	qsteemp.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2988	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
512	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3612	qsteemp.exe
Token: SeDebugPrivilege	4128	qsteemp.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 1232	3580	qsteemp.exe	75
PID 3580 wrote to memory of 1232	3580	qsteemp.exe	75
PID 1232 wrote to memory of 4740	1232	cmd.exe	77
PID 1232 wrote to memory of 4740	1232	cmd.exe	77
PID 1232 wrote to memory of 512	1232	cmd.exe	78
PID 1232 wrote to memory of 512	1232	cmd.exe	78
PID 1232 wrote to memory of 2988	1232	cmd.exe	79
PID 1232 wrote to memory of 2988	1232	cmd.exe	79
PID 1232 wrote to memory of 3612	1232	cmd.exe	80
PID 1232 wrote to memory of 3612	1232	cmd.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\qsteemp.exe
"C:\Users\Admin\AppData\Local\Temp\qsteemp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\qsteemp.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4740
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:512
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "qsteemp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2988
- - C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
    "C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3612

C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6kfrvwd31o\port.dat

Filesize
4B

MD5
055e31fa43e652cb4ab6c0ee845c8d36

SHA1
bc35074eff4dfda212200b176619f6d4b2f3d459

SHA256
c45c01c3885bc08666959321f2baa506550c313732851f871e977b1cef564e98

SHA512
f5d1cb49b5a03a2b7b49e38c4b389c9fc949a69b03d60f105311989cab8d9914dc0ab4d70ca9bf9feccd900e4fbb35a809660cb39201368c0c5f0907e5ba5ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qsteemp.exe.log

Filesize
1KB

MD5
d51a38b0538aafbb39cd4743767cf2a3

SHA1
ec819ad7959110e2244b2978e4a60e4c5e99961d

SHA256
8678df64deb4a7203a8ac3eaa5af8b767111e753385d286f9e1c121d45830e22

SHA512
51ffb0c793f034843cf749716680bb6dd81c840bbe22f6426c8d14ffd62a7b4fab974325aa978e62ba57575b836aff4e00a810688818749021f658b623fd41f2

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\qsteemp.exe

Filesize
165KB

MD5
90cd3202af31b431dcc5e47cf3b8c0d7

SHA1
747f68fb8f122241059c219eeeeadac61e8215be

SHA256
e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732

SHA512
b1025ca0dfa86cd6649337bfc6b555a9101fce38955566424955a6fe07782bea41eeaf4f233946eb6be5756b23398129bad98a87c6b07478f787df8bf3235481

Download Submit
memory/3580-1-0x00007FF891AE0000-0x00007FF8924CC000-memory.dmp

Filesize
9.9MB

Download
memory/3580-2-0x000001D04C0B0000-0x000001D04C0C0000-memory.dmp

Filesize
64KB

Download
memory/3580-6-0x00007FF891AE0000-0x00007FF8924CC000-memory.dmp

Filesize
9.9MB

Download
memory/3580-0-0x000001D031C20000-0x000001D031C50000-memory.dmp

Filesize
192KB

Download
memory/3612-11-0x00007FF891AE0000-0x00007FF8924CC000-memory.dmp

Filesize
9.9MB

Download
memory/3612-12-0x00000266E8B00000-0x00000266E8B10000-memory.dmp

Filesize
64KB

Download
memory/3612-20-0x00007FF891AE0000-0x00007FF8924CC000-memory.dmp

Filesize
9.9MB

Download
memory/4128-16-0x00007FF891AE0000-0x00007FF8924CC000-memory.dmp

Filesize
9.9MB

Download
memory/4128-17-0x000002439D280000-0x000002439D290000-memory.dmp

Filesize
64KB

Download
memory/4128-21-0x00007FF891AE0000-0x00007FF8924CC000-memory.dmp

Filesize
9.9MB

Download
memory/4128-22-0x000002439D280000-0x000002439D290000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads