Overview

overview

10

Static

static

10

D5f0a5d17c...76.exe

windows7-x64

10

D5f0a5d17c...76.exe

windows10-1703-x64

10

D5f0a5d17c...76.exe

windows10-2004-x64

10

D5f0a5d17c...76.exe

windows11-21h2-x64

10

Resubmissions

10-04-2024 02:29

240410-cy22baca54 10

10-04-2024 02:29

240410-cy2esafc8z 10

10-04-2024 02:29

240410-cy1s9aca52 10

10-04-2024 02:29

240410-cy1hgsfc8x 10

14-10-2023 01:29

231014-bwm9pshg4t 10

Analysis

  • max time kernel
    193s
  • max time network
    302s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-04-2024 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    D5f0a5d17c7420fe49da676.exe

  • Size

    250KB

  • MD5

    24a8408510d9b173b9dc078574261d28

  • SHA1

    2ecfc788687aadbd9cc42ea311210f7cde5fa064

  • SHA256

    67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

  • SHA512

    de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

  • SSDEEP

    6144:PY6+lYxyWoekN4B2We2TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tjQ9bMXq:PxpmWHgf8Y6/Qp1nLiDKhFX

Score
10/10
gurcucollectionspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 2 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe
    "C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:880
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4604
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:1140
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:4464
        • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4308
    • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
      C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
      1⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\6rfb5r0uff\port.dat
      Filesize

      4B

      MD5

      f5e62af885293cf4d511ceef31e61c80

      SHA1

      f933be252dfed9664ffdf6d6a9b4c5e9d3abe76e

      SHA256

      10ec7498052c63661dff4f864feecbd58fd9099d0a46fd8c1ebee73fc23f4a02

      SHA512

      dccfaa360a0ea39382d57b16bdbeb95d029301ecc5a91f482c267e233225692409c9ba20c13e7f730405037aae1cae2209d394e21899a231a4459649f58d461f

      Download Submit

    • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
      Filesize

      250KB

      MD5

      24a8408510d9b173b9dc078574261d28

      SHA1

      2ecfc788687aadbd9cc42ea311210f7cde5fa064

      SHA256

      67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

      SHA512

      de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\D5f0a5d17c7420fe49da676.exe.log
      Filesize

      1KB

      MD5

      d51a38b0538aafbb39cd4743767cf2a3

      SHA1

      ec819ad7959110e2244b2978e4a60e4c5e99961d

      SHA256

      8678df64deb4a7203a8ac3eaa5af8b767111e753385d286f9e1c121d45830e22

      SHA512

      51ffb0c793f034843cf749716680bb6dd81c840bbe22f6426c8d14ffd62a7b4fab974325aa978e62ba57575b836aff4e00a810688818749021f658b623fd41f2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
      Filesize

      82B

      MD5

      1d2c0986ba3c3af924ad4b8776a45190

      SHA1

      e4199810598c592fb4304eb37cf90d2ce2065a11

      SHA256

      8f8cc850ea7e227ba100ad943c4c9000857e39d66a0aa6a245f599e6868d04c2

      SHA512

      275f4de2999bc947be2a179aab2ed6e33d7591d3464d3ba43d3ca1b6fc0ada3aae2090f39dc3620bfcfa57824e26aba7b401145137f87115bbd4c3589a291524

      Download Submit

    • memory/1124-20-0x000001CE69F50000-0x000001CE69F60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1124-19-0x00007FFEC8910000-0x00007FFEC92FC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1124-25-0x00007FFEC8910000-0x00007FFEC92FC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1124-26-0x000001CE69F50000-0x000001CE69F60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4308-11-0x00007FFEC8910000-0x00007FFEC92FC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4308-17-0x000001E976250000-0x000001E976260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4308-12-0x000001E976250000-0x000001E976260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4308-16-0x00007FFEC8910000-0x00007FFEC92FC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4720-0-0x000001D694960000-0x000001D6949A4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4720-2-0x000001D6AF000000-0x000001D6AF010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4720-1-0x00007FFEC8910000-0x00007FFEC92FC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4720-6-0x00007FFEC8910000-0x00007FFEC92FC000-memory.dmp

      Filesize

      9.9MB

      Download