Overview

overview

10

Static

static

10

dba803bf09...JC.exe

windows7-x64

10

dba803bf09...JC.exe

windows10-1703-x64

10

dba803bf09...JC.exe

windows10-2004-x64

10

dba803bf09...JC.exe

windows11-21h2-x64

10

Resubmissions

10-04-2024 02:55

240410-dektcsff5x 10

10-04-2024 02:54

240410-dd6z7scc89 10

10-04-2024 02:54

240410-dd6pfacc88 10

10-04-2024 02:54

240410-dd53xacc87 10

09-09-2023 16:01

230909-tgqqdscd3z 7

Analysis

  • max time kernel
    293s
  • max time network
    306s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 02:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe

  • Size

    203KB

  • MD5

    661cdb95fe5810f365ddb936ea8f3432

  • SHA1

    6210c0691ee20e61dc9a9da1a371d561cd850774

  • SHA256

    dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236a

  • SHA512

    aa25009dfbddfb300c14ab65c9eeb68aa785a54d40fa28a684275b9f506cc6fd337842cf42c54bcff79018241c9a0ac606ad4ebf614a2a355aed7e6dbe70c41d

  • SSDEEP

    6144:8N0J0dLFzW/wKWsBGKqkv07bKXZSgsBuQdwLhXC1:8NDpzGAsgL+ZSwQdwLhXC1

Score
10/10
gurcuzgratcollectiondiscoveryratspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 2 IoCs
  • Detect ZGRat V1 2 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4520
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:404
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2856
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1056
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp" -C "C:\Users\Admin\AppData\Local\9krryil1hy"
            4⤵
              PID:5020
            • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
              "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:4428
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:960
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:1096
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:2892
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:368
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3508
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:3384
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1728
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:4324
        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:404
          • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
            "C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:1948

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9krryil1hy\data\cached-microdesc-consensus
          Filesize

          2.7MB

          MD5

          a0db8a87f7b723266c8b04255da46b06

          SHA1

          4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf

          SHA256

          60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3

          SHA512

          41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

          Download Submit

        • C:\Users\Admin\AppData\Local\9krryil1hy\data\cached-microdescs.new
          Filesize

          9.7MB

          MD5

          236dca74816729f6a59b667ca25bddbb

          SHA1

          e91a7f1927fec5fcd221d518797bd4fcdfadc407

          SHA256

          d80f2b39a56146d4bc19ec0f61a822e71721f35201978f07ffa78791e282e3e6

          SHA512

          c286d2b37426ca97e6c8a299ca1672353be44bdc1b9e50c92f00bf884dc8028661921439223164f1d18f785c3c35ddfff84d5674e9d0243d4a7491e157566775

          Download Submit

        • C:\Users\Admin\AppData\Local\9krryil1hy\host\hostname
          Filesize

          64B

          MD5

          a8594685ba9f4bd05d536045fee6ce2d

          SHA1

          64f0c6a30bb2d61cf77fb2304b5d07281ff6b1be

          SHA256

          6cbc823113787e1700c0d44c12f8f5d2ec4f075934f82c65b4ba83a1fc5dfba1

          SHA512

          d41185c4434499e2d6eca18af42df47ba58666f81dbeaf64c65ee603449736019f816af240527cc3e08d879b461727cf4154eada034c2b9346d143f8f762ceaa

          Download Submit

        • C:\Users\Admin\AppData\Local\9krryil1hy\port.dat
          Filesize

          4B

          MD5

          a78482ce76496fcf49085f2190e675b4

          SHA1

          46d3e59de07a6aac6b2078c35aa4c16a03d10df3

          SHA256

          8a15fadc48d9f05e22123427d4564f5ca35293abfc1a5afdbcdfd8cb50353ad2

          SHA512

          9e7e28af444d9913f43e42fb2b9725c822155fc7a453cdbd0a819b10b3a8d73b1c63aeb4023c019b26a894aa7e438f2a3159b9da9d572040b315a14a0ae37752

          Download Submit

        • C:\Users\Admin\AppData\Local\9krryil1hy\tor\tor.exe
          Filesize

          7.4MB

          MD5

          88590909765350c0d70c6c34b1f31dd2

          SHA1

          129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

          SHA256

          46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

          SHA512

          a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

          Download Submit

        • C:\Users\Admin\AppData\Local\9krryil1hy\torrc.txt
          Filesize

          218B

          MD5

          83c511af46fcc0f2bbf110de3cf55b2c

          SHA1

          29e6dca9a3b325e728c1691e6c57270df982373e

          SHA256

          803306b8e72f8a467a9d87e460df5e47e95a8e94adefeba17820c43afa2a7c4d

          SHA512

          23e6fb6f1be8d4e37f9c83d99a4d6b5f379d3f93d998514f562dd25364756ca0f4ea15eef110d3fb69ef171a1d69c2f06a726f60edaf6e87f768e8431c5c9614

          Download Submit

        • C:\Users\Admin\AppData\Local\EsetSecurity\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe
          Filesize

          203KB

          MD5

          661cdb95fe5810f365ddb936ea8f3432

          SHA1

          6210c0691ee20e61dc9a9da1a371d561cd850774

          SHA256

          dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236a

          SHA512

          aa25009dfbddfb300c14ab65c9eeb68aa785a54d40fa28a684275b9f506cc6fd337842cf42c54bcff79018241c9a0ac606ad4ebf614a2a355aed7e6dbe70c41d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dba803bf0917907fad2aa9163b78a20ba8ba2b9a79cf105dede3a5acd821236aexe_JC.exe.log
          Filesize

          847B

          MD5

          3308a84a40841fab7dfec198b3c31af7

          SHA1

          4e7ab6336c0538be5dd7da529c0265b3b6523083

          SHA256

          169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

          SHA512

          97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
          Filesize

          271B

          MD5

          e0b23b0bfc6364135ab1c4736c9a71a1

          SHA1

          5f2054eb9cb799765dafa55be6899b1da94d6ecc

          SHA256

          94abdc4e8fef30fda2ac1330fa5ff8a997202f4b38c446b6ef0f1e72bb92fbc3

          SHA512

          301f1377871df1573937989c3927af527ff3af9146d25b37419baafc1eea74dfaef08dc81067dbac99e9c28eab35af2c8f5cf31f90960029b0d19939f9bfd5e4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
          Filesize

          324B

          MD5

          676315fd0607c95b5cb7069b734ffb67

          SHA1

          aeb33fba01347345a58cf275df9484dce8597628

          SHA256

          a289476b6e8bf65d6d648068f16230310948e0fff5630ffbe28e20067fc42ba1

          SHA512

          728eeca4ef2aba95c0e3116c33ad6d4bbf1ca859612ff7c80916c61bf90a57845134ba7d31c6699f9f359d9783f635328ba5b27e49a23aa4d2cec70367772fd1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
          Filesize

          165B

          MD5

          b00ec8bfe63b6c54755aada32ba07e72

          SHA1

          dfffcb1825808d5dc29f5476e961734853e6a3cc

          SHA256

          d659b67bfec0aa7a07b3461df5d52fc6762ca0a72e7ee010ad219acf41ec5859

          SHA512

          4e4d659af28380c8888c90cd3be0ddbc2e2a5592617035713f6bc2aeaa2fb1ebd1cc0d4c0425991c70efd5a5cdbd3e7368331dc3793b1e30fee6d516e3001657

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
          Filesize

          218B

          MD5

          46abe423d442c22d1de79e9b393fffe1

          SHA1

          b68ddb5a64c57a31bf559905a2253dfaeeee70c5

          SHA256

          cd5199d4539bd104bcafe82223c7a7bf1e5c514eac1c66cf3f69bee0a32adc92

          SHA512

          a2469fc3ff5c1bf5ff9a7848dc5e8c889e2bc8fb2da4afc18ebf44e465f02cead83cd126f453c5491a826bbf22eb4c44efdd0385078898a5690b4a2839483305

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp
          Filesize

          13.3MB

          MD5

          89d2d5811c1aff539bb355f15f3ddad0

          SHA1

          5bb3577c25b6d323d927200c48cd184a3e27c873

          SHA256

          b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

          SHA512

          39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

          Download Submit

        • memory/404-131-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/404-127-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1056-90-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1056-50-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1056-65-0x0000019B64E20000-0x0000019B64E30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1056-12-0x0000019B64E20000-0x0000019B64E30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1056-11-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1096-83-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1096-84-0x0000021DDDB30000-0x0000021DDDB40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1096-89-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1096-76-0x0000021DDDB30000-0x0000021DDDB40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1096-75-0x00007FFA04650000-0x00007FFA05111000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1728-113-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1728-117-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2876-96-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2876-97-0x00000195DC700000-0x00000195DC710000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2876-101-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3508-111-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3508-107-0x00007FFA04D50000-0x00007FFA05811000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3876-6-0x00007FFA05710000-0x00007FFA061D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3876-0-0x000001F175860000-0x000001F175898000-memory.dmp

          Filesize

          224KB

          Download

        • memory/3876-1-0x00007FFA05710000-0x00007FFA061D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3876-2-0x000001F177EA0000-0x000001F177EB0000-memory.dmp

          Filesize

          64KB

          Download