Overview

overview

10

Static

static

10

dba803bf09...JC.exe

windows7-x64

10

dba803bf09...JC.exe

windows10-1703-x64

10

dba803bf09...JC.exe

windows10-2004-x64

10

dba803bf09...JC.exe

windows11-21h2-x64

10

Resubmissions

10/04/2024, 02:55

240410-dektcsff5x 10

10/04/2024, 02:54

240410-dd6z7scc89 10

10/04/2024, 02:54

240410-dd6pfacc88 10

10/04/2024, 02:54

240410-dd53xacc87 10

09/09/2023, 16:01

230909-tgqqdscd3z 7

Analysis

  • max time kernel
    293s
  • max time network
    306s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 02:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe

  • Size

    203KB

  • MD5

    661cdb95fe5810f365ddb936ea8f3432

  • SHA1

    6210c0691ee20e61dc9a9da1a371d561cd850774

  • SHA256

    dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236a

  • SHA512

    aa25009dfbddfb300c14ab65c9eeb68aa785a54d40fa28a684275b9f506cc6fd337842cf42c54bcff79018241c9a0ac606ad4ebf614a2a355aed7e6dbe70c41d

  • SSDEEP

    6144:8N0J0dLFzW/wKWsBGKqkv07bKXZSgsBuQdwLhXC1:8NDpzGAsgL+ZSwQdwLhXC1

Score
10/10
gurcuzgratcollectiondiscoveryratspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 2 IoCs
  • Detect ZGRat V1 2 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4520
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:404
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2856
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1056
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp" -C "C:\Users\Admin\AppData\Local\9krryil1hy"
            4⤵
              PID:5020
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:4428
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:960
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:1096
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:2892
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:368
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3508
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:3384
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1728
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:4324
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:404
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:1948

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\9krryil1hy\data\cached-microdesc-consensus
                Filesize

                2.7MB

                MD5

                a0db8a87f7b723266c8b04255da46b06

                SHA1

                4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf

                SHA256

                60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3

                SHA512

                41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

                Download Submit

              • C:\Users\Admin\AppData\Local\9krryil1hy\data\cached-microdescs.new
                Filesize

                9.7MB

                MD5

                236dca74816729f6a59b667ca25bddbb

                SHA1

                e91a7f1927fec5fcd221d518797bd4fcdfadc407

                SHA256

                d80f2b39a56146d4bc19ec0f61a822e71721f35201978f07ffa78791e282e3e6

                SHA512

                c286d2b37426ca97e6c8a299ca1672353be44bdc1b9e50c92f00bf884dc8028661921439223164f1d18f785c3c35ddfff84d5674e9d0243d4a7491e157566775

                Download Submit

              • C:\Users\Admin\AppData\Local\9krryil1hy\host\hostname
                Filesize

                64B

                MD5

                a8594685ba9f4bd05d536045fee6ce2d

                SHA1

                64f0c6a30bb2d61cf77fb2304b5d07281ff6b1be

                SHA256

                6cbc823113787e1700c0d44c12f8f5d2ec4f075934f82c65b4ba83a1fc5dfba1

                SHA512

                d41185c4434499e2d6eca18af42df47ba58666f81dbeaf64c65ee603449736019f816af240527cc3e08d879b461727cf4154eada034c2b9346d143f8f762ceaa

                Download Submit

              • C:\Users\Admin\AppData\Local\9krryil1hy\port.dat
                Filesize

                4B

                MD5

                a78482ce76496fcf49085f2190e675b4

                SHA1

                46d3e59de07a6aac6b2078c35aa4c16a03d10df3

                SHA256

                8a15fadc48d9f05e22123427d4564f5ca35293abfc1a5afdbcdfd8cb50353ad2

                SHA512

                9e7e28af444d9913f43e42fb2b9725c822155fc7a453cdbd0a819b10b3a8d73b1c63aeb4023c019b26a894aa7e438f2a3159b9da9d572040b315a14a0ae37752

                Download Submit

              • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
                Filesize

                7.4MB

                MD5

                88590909765350c0d70c6c34b1f31dd2

                SHA1

                129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

                SHA256

                46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

                SHA512

                a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

                Download Submit

              • C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt
                Filesize

                218B

                MD5

                83c511af46fcc0f2bbf110de3cf55b2c

                SHA1

                29e6dca9a3b325e728c1691e6c57270df982373e

                SHA256

                803306b8e72f8a467a9d87e460df5e47e95a8e94adefeba17820c43afa2a7c4d

                SHA512

                23e6fb6f1be8d4e37f9c83d99a4d6b5f379d3f93d998514f562dd25364756ca0f4ea15eef110d3fb69ef171a1d69c2f06a726f60edaf6e87f768e8431c5c9614

                Download Submit

              • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
                Filesize

                203KB

                MD5

                661cdb95fe5810f365ddb936ea8f3432

                SHA1

                6210c0691ee20e61dc9a9da1a371d561cd850774

                SHA256

                dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236a

                SHA512

                aa25009dfbddfb300c14ab65c9eeb68aa785a54d40fa28a684275b9f506cc6fd337842cf42c54bcff79018241c9a0ac606ad4ebf614a2a355aed7e6dbe70c41d

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe.log
                Filesize

                847B

                MD5

                3308a84a40841fab7dfec198b3c31af7

                SHA1

                4e7ab6336c0538be5dd7da529c0265b3b6523083

                SHA256

                169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

                SHA512

                97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
                Filesize

                271B

                MD5

                e0b23b0bfc6364135ab1c4736c9a71a1

                SHA1

                5f2054eb9cb799765dafa55be6899b1da94d6ecc

                SHA256

                94abdc4e8fef30fda2ac1330fa5ff8a997202f4b38c446b6ef0f1e72bb92fbc3

                SHA512

                301f1377871df1573937989c3927af527ff3af9146d25b37419baafc1eea74dfaef08dc81067dbac99e9c28eab35af2c8f5cf31f90960029b0d19939f9bfd5e4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
                Filesize

                324B

                MD5

                676315fd0607c95b5cb7069b734ffb67

                SHA1

                aeb33fba01347345a58cf275df9484dce8597628

                SHA256

                a289476b6e8bf65d6d648068f16230310948e0fff5630ffbe28e20067fc42ba1

                SHA512

                728eeca4ef2aba95c0e3116c33ad6d4bbf1ca859612ff7c80916c61bf90a57845134ba7d31c6699f9f359d9783f635328ba5b27e49a23aa4d2cec70367772fd1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
                Filesize

                165B

                MD5

                b00ec8bfe63b6c54755aada32ba07e72

                SHA1

                dfffcb1825808d5dc29f5476e961734853e6a3cc

                SHA256

                d659b67bfec0aa7a07b3461df5d52fc6762ca0a72e7ee010ad219acf41ec5859

                SHA512

                4e4d659af28380c8888c90cd3be0ddbc2e2a5592617035713f6bc2aeaa2fb1ebd1cc0d4c0425991c70efd5a5cdbd3e7368331dc3793b1e30fee6d516e3001657

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
                Filesize

                218B

                MD5

                46abe423d442c22d1de79e9b393fffe1

                SHA1

                b68ddb5a64c57a31bf559905a2253dfaeeee70c5

                SHA256

                cd5199d4539bd104bcafe82223c7a7bf1e5c514eac1c66cf3f69bee0a32adc92

                SHA512

                a2469fc3ff5c1bf5ff9a7848dc5e8c889e2bc8fb2da4afc18ebf44e465f02cead83cd126f453c5491a826bbf22eb4c44efdd0385078898a5690b4a2839483305

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp
                Filesize

                13.3MB

                MD5

                89d2d5811c1aff539bb355f15f3ddad0

                SHA1

                5bb3577c25b6d323d927200c48cd184a3e27c873

                SHA256

                b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

                SHA512

                39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

                Download Submit

              • memory/404-131-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/404-127-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1056-90-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1056-50-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1056-65-0x0000019B64E20000-0x0000019B64E30000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1056-12-0x0000019B64E20000-0x0000019B64E30000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1056-11-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1096-83-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1096-84-0x0000021DDDB30000-0x0000021DDDB40000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1096-89-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1096-76-0x0000021DDDB30000-0x0000021DDDB40000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1096-75-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1728-113-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1728-117-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2876-96-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2876-97-0x00000195DC700000-0x00000195DC710000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2876-101-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3508-111-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3508-107-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3876-6-0x00007FFA05710000-0x00007FFA061D1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3876-0-0x000001F175860000-0x000001F175898000-memory.dmp

                Filesize

                224KB

                Download

              • memory/3876-1-0x00007FFA05710000-0x00007FFA061D1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3876-2-0x000001F177EA0000-0x000001F177EB0000-memory.dmp

                Filesize

                64KB

                Download