gurcu | c2e57e9b6e52a5429ae7a7bd36c57f63589d78fbf0ffe5760ada4a67b9fadec9

General

Target

m1f1f3a069223072f8d6802a079235d.exe
Size

306KB
MD5

4b36dcaa94c3eca48a6292bd670ffe79
SHA1

705484e61ac39ba02cc80903be0da6ce74333334
SHA256

c2e57e9b6e52a5429ae7a7bd36c57f63589d78fbf0ffe5760ada4a67b9fadec9
SHA512

cf07d7f80264554eb3b945421ca41db38ff79707775d355d478c09f4b64d14f523339295aa4bc9b79c0dbb004e6756585bcf85edc8cbc2d16f7f0481be93513a
SSDEEP

3072:71E/yXS0m2pOVLVewP2D/kIyC+mvXi1QJIkjXAToknBq9tT/8RJ6W3t3dpdQGqKI:7E2mDMtqa5EOTeKXAllKD9bmTneefA

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6209822134:AAHQxD-CI1YDVcNbXijXHlonsEUgv3dfYtg/sendMessage?chat_id=-1001529292045

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Executes dropped EXE 2 IoCs

pid	Process
4588	m1f1f3a069223072f8d6802a079235d.exe
2220	m1f1f3a069223072f8d6802a079235d.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com
63	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4964	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3760	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	m1f1f3a069223072f8d6802a079235d.exe
Token: SeDebugPrivilege	4588	m1f1f3a069223072f8d6802a079235d.exe
Token: SeDebugPrivilege	2220	m1f1f3a069223072f8d6802a079235d.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 5036	2520	m1f1f3a069223072f8d6802a079235d.exe	73
PID 2520 wrote to memory of 5036	2520	m1f1f3a069223072f8d6802a079235d.exe	73
PID 5036 wrote to memory of 4472	5036	cmd.exe	75
PID 5036 wrote to memory of 4472	5036	cmd.exe	75
PID 5036 wrote to memory of 3760	5036	cmd.exe	76
PID 5036 wrote to memory of 3760	5036	cmd.exe	76
PID 5036 wrote to memory of 4964	5036	cmd.exe	77
PID 5036 wrote to memory of 4964	5036	cmd.exe	77
PID 5036 wrote to memory of 4588	5036	cmd.exe	78
PID 5036 wrote to memory of 4588	5036	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe

C:\Users\Admin\AppData\Local\Temp\m1f1f3a069223072f8d6802a079235d.exe
"C:\Users\Admin\AppData\Local\Temp\m1f1f3a069223072f8d6802a079235d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "m1f1f3a069223072f8d6802a079235d" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\m1f1f3a069223072f8d6802a079235d.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4472
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3760
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "m1f1f3a069223072f8d6802a079235d" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4964
- - C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe
    "C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    PID:4588

C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe
C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\m1f1f3a069223072f8d6802a079235d.exe.log

Filesize
847B

MD5
a908a7c6e93edeb3e400780b6fe62dde

SHA1
36e2b437f41443f6b41b45b35a0f97b2cd94123d

SHA256
cae801b0499949178298c1c1a083f7c0febb971d262be9c9588437af66c76ef0

SHA512
deb437dcb1440d37bcd61dfa43be05fd01856a1d1e59aa5b2dfa142e9ae584b0577eea024edb99d8e74e3a1b606bb7ae3b4f9cd8eb30813e67dda678b9319cbe

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe

Filesize
306KB

MD5
4b36dcaa94c3eca48a6292bd670ffe79

SHA1
705484e61ac39ba02cc80903be0da6ce74333334

SHA256
c2e57e9b6e52a5429ae7a7bd36c57f63589d78fbf0ffe5760ada4a67b9fadec9

SHA512
cf07d7f80264554eb3b945421ca41db38ff79707775d355d478c09f4b64d14f523339295aa4bc9b79c0dbb004e6756585bcf85edc8cbc2d16f7f0481be93513a

Download Submit
C:\Users\Admin\AppData\Local\d67800nkmj\port.dat

Filesize
4B

MD5
e97399278d24e6bbf3a2d5e9c8d34262

SHA1
c85a0c05df75988715b67c566ccb8c625d3b74f0

SHA256
b9b1195fd5b5620d9b67b2b7157ea132230afb387ca5e6159a34811691656b6d

SHA512
ea69b090d6c5eceecde9efa03ba8be10609ea75069076bff60b93cfd01ed4cb2396251f4683cb9fdd2a3145eb0f614ad1aae2c062275dcb6fada8dfb3aaa508d

Download Submit
memory/2220-19-0x0000023464D30000-0x0000023464D40000-memory.dmp

Filesize
64KB

Download
memory/2220-23-0x0000023464D30000-0x0000023464D40000-memory.dmp

Filesize
64KB

Download
memory/2220-22-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2220-18-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-1-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-4-0x000001DEEF950000-0x000001DEEF960000-memory.dmp

Filesize
64KB

Download
memory/2520-6-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-0-0x000001DED5420000-0x000001DED5472000-memory.dmp

Filesize
328KB

Download
memory/4588-11-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download
memory/4588-16-0x00000236B1F10000-0x00000236B1F20000-memory.dmp

Filesize
64KB

Download
memory/4588-15-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

Filesize
9.9MB

Download
memory/4588-12-0x00000236B1F10000-0x00000236B1F20000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads