Overview

overview

10

Static

static

10

D5f0a5d17c...76.exe

windows7-x64

10

D5f0a5d17c...76.exe

windows10-1703-x64

10

D5f0a5d17c...76.exe

windows10-2004-x64

10

D5f0a5d17c...76.exe

windows11-21h2-x64

10

Resubmissions

10-04-2024 02:29

240410-cy22baca54 10

10-04-2024 02:29

240410-cy2esafc8z 10

10-04-2024 02:29

240410-cy1s9aca52 10

10-04-2024 02:29

240410-cy1hgsfc8x 10

14-10-2023 01:29

231014-bwm9pshg4t 10

Analysis

  • max time kernel
    298s
  • max time network
    305s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-04-2024 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    D5f0a5d17c7420fe49da676.exe

  • Size

    250KB

  • MD5

    24a8408510d9b173b9dc078574261d28

  • SHA1

    2ecfc788687aadbd9cc42ea311210f7cde5fa064

  • SHA256

    67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

  • SHA512

    de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

  • SSDEEP

    6144:PY6+lYxyWoekN4B2We2TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tjQ9bMXq:PxpmWHgf8Y6/Qp1nLiDKhFX

Score
10/10
gurcucollectiondiscoveryspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 2 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Executes dropped EXE 12 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe
    "C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:488
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4168
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:3260
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:3388
        • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1548
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpE3C8.tmp" -C "C:\Users\Admin\AppData\Local\6rfb5r0uff"
            4⤵
              PID:1576
            • C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe
              "C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:1692
      • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3152
        • C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3756
      • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4728
        • C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:5040
      • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4528
      • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3648
        • C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3896
      • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:2024
        • C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe
          "C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3212

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\data\cached-microdesc-consensus
        Filesize

        2.7MB

        MD5

        a0db8a87f7b723266c8b04255da46b06

        SHA1

        4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf

        SHA256

        60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3

        SHA512

        41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

        Download Submit

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\data\cached-microdescs.new
        Filesize

        8.3MB

        MD5

        1f035a41f57996d411d81a6c880e9669

        SHA1

        3be4e0a4288f7b141f8b6790b1a3c2c671e65123

        SHA256

        bfc5cba775969a2d30d96486815c3660ae93de5a2314b581a2dbe2a736ab5a8f

        SHA512

        54854706608ee6c936f7f70928389149484027e43c5682403c6f40bfa31f748b09f5383cf6ed09d79d0ca4397bb5d9e3040367ea0d2d4004f287484bd2567804

        Download Submit

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\host\hostname
        Filesize

        64B

        MD5

        79d5996c77aed8b88b54bfb9e68635e3

        SHA1

        bd5c5ba79887456938e03a809ca8ff131813c672

        SHA256

        4c715c285415a84840a9e94ff1dfd2fbd11d06542e73da71b88fed0a83172b7d

        SHA512

        6362e192bbbd0e5738a661d2989fa0f6536b01505b909dce972561e091866286cbe5a72120b946c189df6cf10f963072c3798c9750407d1065a1f01f8edca8f2

        Download Submit

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\port.dat
        Filesize

        4B

        MD5

        dd28e50635038e9cf3a648c2dd17ad0a

        SHA1

        c7332976a95835182f8b2c8a2742e00c52bc65ea

        SHA256

        4e893a5e600e9e6d353b97ebf9fe435808664c11a539baae96799d80eccc7a72

        SHA512

        19e52dc480960bc28b2d476da2078364f24e0f14d35e77ae7b41df8faf800cd3a68099be34f9dabc7789e744238487435da542df8c841e11f3c30fafa6ba696a

        Download Submit

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe
        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

        Download Submit

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt
        Filesize

        218B

        MD5

        8806a843a8c89e33d9138f28d05c0f70

        SHA1

        2d6d4df0d3791105f044dc29e78e1ed3cd8a7542

        SHA256

        daf1771b9fd7e3ac13eab136895b56401a538207137ca46e3679ac2f54f41723

        SHA512

        b7720d3925ef18ae935654ca95ee5f473fe2942c92e412e483154e3eb9e316867fe5ab590b7fb233168fa19b239591b557473f81ec902ef28c0fadd6d9bc8edf

        Download Submit

      • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        Filesize

        250KB

        MD5

        24a8408510d9b173b9dc078574261d28

        SHA1

        2ecfc788687aadbd9cc42ea311210f7cde5fa064

        SHA256

        67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

        SHA512

        de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\D5f0a5d17c7420fe49da676.exe.log
        Filesize

        1KB

        MD5

        081b644082c51f2ff0f00087877003b5

        SHA1

        2eeb0a8a592e5327873f5a6704031c1ff6d0bd31

        SHA256

        cc427c714517dd0a3c96354869ce1bb300bf4935006fc628ceb28e2f040197ac

        SHA512

        95621587e55a5f5111aea05cadbaf56429adde2de0c41c9de8e74c03d31116edf72b63d76f65af45e4b14b68fe214926425581f77113d332eb91b0b6a5598eff

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        472B

        MD5

        a5d38b754ff1fd51ba13759025a5cbc5

        SHA1

        194aae27a2476723af3a9d99e31c014bd0b8db88

        SHA256

        9b22f2a3f6a104437bc8a0e0ceb265c4110a627e3efddcf8d751c9ddca0968d1

        SHA512

        16ebe9ac72014f69dfafc6c50192250053dc5e966691b1e4b8c07870ba1d22c983a2450dcc0142618213a25ef52c1cae6f098da4a2ddc0fc9e9d7ad713e5a89c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        590B

        MD5

        00f72bdf8f99dcfd7bc4045c1443eccb

        SHA1

        830730973079a93ee2e2744b591c219e3b9538b0

        SHA256

        4d029eaae447d78601428ca5c7a256a0d8516ed9aab82a74ad31ee422724c228

        SHA512

        8978360d079511821dda5b38b8feb4dd4825281219890530e8fd688f769ec5712ff95445ed1c1377a29b5bcab0728f200f1e065ae7c570d0d294297ac9fbfd6f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        236B

        MD5

        c59159804951e8f21082d35e955cd2e2

        SHA1

        a8ec64e75b412615dcc1d321064eb0fc18b635d3

        SHA256

        e17a3b7bf64bade07186fd1f8c2f30f230bb8c1f02944378ec67dc98e2b64690

        SHA512

        6873bafaca88772c1ede9301c0d9f3b04d3fee6d68b667a8d8354b0c0344f4be7c677bc9dc3af6f68f97f935ec3190684939fd75be441866fc8d4995ded78ae5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        354B

        MD5

        9ae1710db2b80bbd3a60d3568b9e26a0

        SHA1

        ec99a61d884f7224faab453cd40406c89a8296de

        SHA256

        bfe7d89feb636b8fd7dafc26303eae266ea3a292ae2c4dc35ced5ecee5de9f4c

        SHA512

        3def458b9b6ffb43868406661dd553799f146100945a37a98d20b65d1d0992839a5fd5c6250e6cb4530532ae1deeb0d3f035834837c8f31b6bd4d6d379c376eb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpE3C8.tmp
        Filesize

        13.3MB

        MD5

        89d2d5811c1aff539bb355f15f3ddad0

        SHA1

        5bb3577c25b6d323d927200c48cd184a3e27c873

        SHA256

        b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

        SHA512

        39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

        Download Submit

      • memory/224-2-0x000001F8F1550000-0x000001F8F1560000-memory.dmp

        Filesize

        64KB

        Download

      • memory/224-1-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-0-0x000001F8EEF00000-0x000001F8EEF44000-memory.dmp

        Filesize

        272KB

        Download

      • memory/224-6-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1548-44-0x000001DEE2D10000-0x000001DEE2D20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1548-40-0x000001DEE3380000-0x000001DEE3533000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1548-42-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1548-12-0x000001DEE2D10000-0x000001DEE2D20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1548-11-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2024-148-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2024-144-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2040-94-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2040-98-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3152-50-0x000002016CAE0000-0x000002016CC93000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3152-51-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3152-46-0x00000201524A0000-0x00000201524B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3152-45-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3648-124-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3648-128-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4728-86-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4728-82-0x00000170DD450000-0x00000170DD460000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4728-81-0x00007FF99A6B0000-0x00007FF99B172000-memory.dmp

        Filesize

        10.8MB

        Download