gurcu | dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236a | Triage

Resubmissions

10-04-2024 02:55

240410-dektcsff5x 10

10-04-2024 02:54

240410-dd6z7scc89 10

10-04-2024 02:54

240410-dd6pfacc88 10

10-04-2024 02:54

240410-dd53xacc87 10

09-09-2023 16:01

230909-tgqqdscd3z 7

Analysis

max time kernel
195s
max time network
255s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2024 02:54

Sharing

Report Analysis Logs

General

Target

dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
Size

203KB
MD5

661cdb95fe5810f365ddb936ea8f3432
SHA1

6210c0691ee20e61dc9a9da1a371d561cd850774
SHA256

dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236a
SHA512

aa25009dfbddfb300c14ab65c9eeb68aa785a54d40fa28a684275b9f506cc6fd337842cf42c54bcff79018241c9a0ac606ad4ebf614a2a355aed7e6dbe70c41d
SSDEEP

6144:8N0J0dLFzW/wKWsBGKqkv07bKXZSgsBuQdwLhXC1:8NDpzGAsgL+ZSwQdwLhXC1

Score

10^/10

gurcu zgrat collection rat spyware stealer

Malware Config

Signatures

Detect Gurcu Stealer V3 payload 2 IoCs

resource	yara_rule
behavioral2/memory/5068-1-0x00000224C80C0000-0x00000224C80F8000-memory.dmp	family_gurcu_v3
behavioral2/files/0x000800000001ac04-9.dat	family_gurcu_v3

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/5068-1-0x00000224C80C0000-0x00000224C80F8000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000800000001ac04-9.dat	family_zgrat_v1

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
1044	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
1136	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

Email Collection

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
5072	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
1384	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1044	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
1136	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
Token: SeDebugPrivilege	1044	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
Token: SeDebugPrivilege	1136	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2984	5068	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe	73
PID 5068 wrote to memory of 2984	5068	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe	73
PID 2984 wrote to memory of 2728	2984	cmd.exe	75
PID 2984 wrote to memory of 2728	2984	cmd.exe	75
PID 2984 wrote to memory of 1384	2984	cmd.exe	76
PID 2984 wrote to memory of 1384	2984	cmd.exe	76
PID 2984 wrote to memory of 5072	2984	cmd.exe	77
PID 2984 wrote to memory of 5072	2984	cmd.exe	77
PID 2984 wrote to memory of 1044	2984	cmd.exe	78
PID 2984 wrote to memory of 1044	2984	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe

C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2728
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1384
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:5072
- - C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
    "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044

C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9krryil1hy\port.dat

Filesize
4B

MD5
33cf42b38bbcf1dd6ba6b0f0cd005328

SHA1
99f3508f906f03dbb50d314cabf4e655dc11ec4a

SHA256
62022fde6ff915972fb14799a6c2200c69717625a54bd056e7759e5e52ff8e34

SHA512
8a957b4f78528bda9dc9f8606dc9edeff20906f196fde6178bd320427bdd83e946bffd0432bf720898fb291c4051385a1d92d256ee7b4486fb9360183ceaafee

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe

Filesize
203KB

MD5
661cdb95fe5810f365ddb936ea8f3432

SHA1
6210c0691ee20e61dc9a9da1a371d561cd850774

SHA256
dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236a

SHA512
aa25009dfbddfb300c14ab65c9eeb68aa785a54d40fa28a684275b9f506cc6fd337842cf42c54bcff79018241c9a0ac606ad4ebf614a2a355aed7e6dbe70c41d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe.log

Filesize
847B

MD5
a908a7c6e93edeb3e400780b6fe62dde

SHA1
36e2b437f41443f6b41b45b35a0f97b2cd94123d

SHA256
cae801b0499949178298c1c1a083f7c0febb971d262be9c9588437af66c76ef0

SHA512
deb437dcb1440d37bcd61dfa43be05fd01856a1d1e59aa5b2dfa142e9ae584b0577eea024edb99d8e74e3a1b606bb7ae3b4f9cd8eb30813e67dda678b9319cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt

Filesize
82B

MD5
1d2c0986ba3c3af924ad4b8776a45190

SHA1
e4199810598c592fb4304eb37cf90d2ce2065a11

SHA256
8f8cc850ea7e227ba100ad943c4c9000857e39d66a0aa6a245f599e6868d04c2

SHA512
275f4de2999bc947be2a179aab2ed6e33d7591d3464d3ba43d3ca1b6fc0ada3aae2090f39dc3620bfcfa57824e26aba7b401145137f87115bbd4c3589a291524

Download Submit
memory/1044-18-0x000001C7331E0000-0x000001C7331F0000-memory.dmp

Filesize
64KB

Download
memory/1044-12-0x00007FFFD1DB0000-0x00007FFFD279C000-memory.dmp

Filesize
9.9MB

Download
memory/1044-17-0x00007FFFD1DB0000-0x00007FFFD279C000-memory.dmp

Filesize
9.9MB

Download
memory/1044-13-0x000001C7331E0000-0x000001C7331F0000-memory.dmp

Filesize
64KB

Download
memory/1136-20-0x00007FFFD1DB0000-0x00007FFFD279C000-memory.dmp

Filesize
9.9MB

Download
memory/1136-21-0x000002D0A32F0000-0x000002D0A3300000-memory.dmp

Filesize
64KB

Download
memory/1136-26-0x00007FFFD1DB0000-0x00007FFFD279C000-memory.dmp

Filesize
9.9MB

Download
memory/1136-27-0x000002D0A32F0000-0x000002D0A3300000-memory.dmp

Filesize
64KB

Download
memory/5068-1-0x00000224C80C0000-0x00000224C80F8000-memory.dmp

Filesize
224KB

Download
memory/5068-5-0x00000224E27F0000-0x00000224E2800000-memory.dmp

Filesize
64KB

Download
memory/5068-7-0x00007FFFD1DB0000-0x00007FFFD279C000-memory.dmp

Filesize
9.9MB

Download
memory/5068-4-0x00007FFFD1DB0000-0x00007FFFD279C000-memory.dmp

Filesize
9.9MB

Download