Resubmissions
10-04-2024 02:29
240410-cy22baca54 1010-04-2024 02:29
240410-cy2esafc8z 1010-04-2024 02:29
240410-cy1s9aca52 1010-04-2024 02:29
240410-cy1hgsfc8x 1014-10-2023 01:29
231014-bwm9pshg4t 10Analysis
-
max time kernel
599s -
max time network
605s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-04-2024 02:29
General
-
Target
D5f0a5d17c7420fe49da676.exe
-
Size
250KB
-
MD5
24a8408510d9b173b9dc078574261d28
-
SHA1
2ecfc788687aadbd9cc42ea311210f7cde5fa064
-
SHA256
67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869
-
SHA512
de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9
-
SSDEEP
6144:PY6+lYxyWoekN4B2We2TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tjQ9bMXq:PxpmWHgf8Y6/Qp1nLiDKhFX
Malware Config
Signatures
-
Detect Gurcu Stealer V3 payload 2 IoCs
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 22 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 33 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe"C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\tar.exe"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp7FAF.tmp" -C "C:\Users\Admin\AppData\Local\6rfb5r0uff"4⤵
-
-
C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe"C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"4⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exeC:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe"C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exeC:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe"C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exeC:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe"C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exeC:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe"C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exeC:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe"C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exeC:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe"C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exeC:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe"C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exeC:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe"C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exeC:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe"C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exeC:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe"C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5a0db8a87f7b723266c8b04255da46b06
SHA14df00ea56d22d88f3d2e005ef66bad5b3ef92ebf
SHA25660b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3
SHA51241b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d
-
Filesize
9.6MB
MD5046f881234c4ae483df897ec72147fa9
SHA16f04fbb4479031b64c92e96fa3b9e14493ef5f71
SHA25689a17ce3283617963151de5167475df4a1bf34e9c130080d8635932a12d8c298
SHA512abeb0ff20d061943f7529084e329216831e31faba7068a53b5c7b4a883eaebbafb1ad2406ddd1525f264fc83b238b4bc0a6043f142ccf62bb4013dd7d3c792cd
-
Filesize
64B
MD57ec68aaeba6d0ce12057992681d941ea
SHA170e10eb351b3ad0b6e609775e4891e4a2f2e0a42
SHA2568665d0729cbaa00de794665927674fb7b4156e9438847a664c879c27fc77929b
SHA512ffc48c43fa312024e3d67e52d5dac4cd1e6386dc05315adccb9ed336165ae573fe8305a58cadfb61a5b8d3c73ff15143eb90eb50b1b90703cc0d0e14529065a8
-
Filesize
4B
MD59d63484abb477c97640154d40595a3bb
SHA19b49d150ad1ab6cc5e17cff7cde0ab1234a69878
SHA25644021a167f13d094844b227e9d97d834de20cf0473c99a9eddc5c702a1f66697
SHA512b304d0a89adab009c61362526b1e91c325eed70b1d07271fbbd9c6de9372a029f84494547c50f13aa63dcc21d0b2c510e2e60cf41524cd1f474960e549b9ff70
-
Filesize
7.4MB
MD588590909765350c0d70c6c34b1f31dd2
SHA1129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA25646fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192
-
Filesize
218B
MD5d288f14f054d9da43c07c4f88a1e497c
SHA1a414a9d03ee09e1149f122bdc0bb289cc8c3b73a
SHA25667f1be4d20f6c07b5659971b89a4464562a49c7f752cd211c0711e3875a3375e
SHA512ff4b2b3b9d9310d7e910e2a00e97a9aadcab605ef685c14e6219dda69674afc7b5d27631ecec2bb22e7a3d2d9300ea060bda658f6460b0557d33e8992bac61df
-
Filesize
250KB
MD524a8408510d9b173b9dc078574261d28
SHA12ecfc788687aadbd9cc42ea311210f7cde5fa064
SHA25667474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869
SHA512de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9
-
Filesize
1KB
MD5fc1be6f3f52d5c841af91f8fc3f790cb
SHA1ac79b4229e0a0ce378ae22fc6104748c5f234511
SHA2566da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910
SHA5122f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6
-
Filesize
472B
MD50320db52b01e550f7d9fd375aa921c7d
SHA18d1df34a13ffb910f83478b1259727782fa63192
SHA25678809708e4e7e99995402061d7df45b48232a0b0079ae924764d3a4103a6a1a1
SHA5123f119b2d39e9f9fb9129098f68bb00d39f34f28ba188e3767fec157fe69a0e000ca247a8125f191c3e0d674d4a3a7807562be3a89dba7490e8ced66d87f64bbf
-
Filesize
590B
MD58c25fc7934768138254ed5a4f9a5fcf8
SHA1d17eb2489dab074d3eac922ca3dff812efd99d50
SHA256a6110e878a7bbf47e72805afcc6408aa99892eb9c873f9bf752a9fc64d5e62b0
SHA51294427c5b62bc7901501a3088a23aa61adb1eb45139d4e9d2509f3acddb636ebee7db7e440266389895018ccee64d6f77cdd26c2ba859cb39715c449729f9b7dd
-
Filesize
826B
MD5098c55e8b0a7957107c796bd06f19dd5
SHA1b63c524822cdcca168e366748868588b78bdd525
SHA25682abb52abecc339f0420c614200ea33301a0e13bd8ccc4ee9eb35b24bd48a806
SHA512aa0fbdb799cb435243df2b94b03e5c47780af7c5edd5b1db47142f83ec0c3e93127b3326ab90b4490961f3878f653ba8f93070582a4ea5940c8afc59c2814d67
-
Filesize
944B
MD51e3b8dfd055a52714ef62cbda55daec1
SHA19e2e25eb4b0935fdff21bcd72b29864a22f7367a
SHA256c4da3d477a8285e18050732540c788e5df0555f1fbca521640f20aa7f2dd04ac
SHA512ad285b979e8fa3ef49d052f4098010cabd2202a87e659d3dc6b01a7c15634f7bb06657fcbfdf282a252b97183022b590cb1e32b129c3efe21c27c0d32a3fe914
-
Filesize
1KB
MD5fff223d19c2947471f67e6fd57192ba0
SHA147677d261fc8b2b125be3d45b47d650780f33f40
SHA256897c798a460b341b070b8bb007cc634522912a2b910dde7692a7609bede0900d
SHA5124cb90a1b22c8f61d8cc6253cb196477a5bd8d4b516d6a94e073e2c3fd78f534aab7e8828d612285d183ddc743bc340b8de82e3d2bc5c4caf67f3b89201e80dc1
-
Filesize
1KB
MD5394ae5b0aa3c2fcdfb1b6025023f8663
SHA17164213efd308b7bc7341d072072e0f22629885d
SHA2563c86e2af8ca9aa896bc391b0d11023a44ae87f5b878ba50fd75a1fcd09c865b9
SHA5122fc3ec1703ece649260e44348b1e89f14c406e90147fc02cecf0a31b2dc0952497340f121381f67a9058f9d8ab12d1baed75d798279453f9ae742fc95fa8feb3
-
Filesize
236B
MD527669b939da7cc33e13dcebfec01e6e2
SHA11059770ad342a07315162d1a12e9d6b5debcdbda
SHA2569d566a3d12a7b3cca8b42afb2c683de134f84c2727eb8cb7e9bdb40e773f870f
SHA512f79bc6c882eca2ebe006cdc41e4d4bd16b80667c956a20a8c147457ea739c3e45e09ac10d60e890e4b5e5b3a9c2b6a5b9ba20d25509ec42c81727a0d8707d542
-
Filesize
354B
MD599f9550462abc19fda65ee62b677d7bd
SHA129c9b5bf7e5535f386f9a25743b56f1166ce658e
SHA256316467052c235d3705157b894bcecd7b4583b4127f65ace2b73e4ceae0935a10
SHA51253102aa4669521784d932e95190752a0b307d9e075c73dd44b9ec45bd42bc1b529954c63fab229562964ad2474e845c068eb5b46aa632fe96d012aca53afeaf7
-
Filesize
13.3MB
MD589d2d5811c1aff539bb355f15f3ddad0
SHA15bb3577c25b6d323d927200c48cd184a3e27c873
SHA256b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA51239e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
272KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB