Overview

overview

10

Static

static

10

a245b51ab7...JC.exe

windows7-x64

10

a245b51ab7...JC.exe

windows10-1703-x64

10

a245b51ab7...JC.exe

windows10-2004-x64

10

a245b51ab7...JC.exe

windows11-21h2-x64

10

Resubmissions

10-04-2024 02:56

240410-dff7kacd24 10

10-04-2024 02:56

240410-de3zyacc96 10

10-04-2024 02:56

240410-de3deaff6t 10

10-04-2024 02:56

240410-de23msff6s 10

09-09-2023 14:35

230909-rx47lsbh52 10

Analysis

  • max time kernel
    299s
  • max time network
    309s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240319-en
  • resource tags

    arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-04-2024 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe

  • Size

    119KB

  • MD5

    369204590ce91e77109e21a298753522

  • SHA1

    e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

  • SHA256

    a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

  • SHA512

    bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

  • SSDEEP

    3072:P56Q4BB1q/hJcq4YZRKsySYSLLx9yLjj6TG6WVt9bm+EFyW43LORzMJS/3:Fha6BuQdwLKTGLt9bmhD4q1Mc

Score
10/10
gurcucollectiondiscoveryspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 3 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Executes dropped EXE 12 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1492
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:1436
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:1672
        • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1840
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpAC8C.tmp" -C "C:\Users\Admin\AppData\Local\84tnjh4449"
            4⤵
              PID:5088
            • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
              "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:3628
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2096
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2708
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2748
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:576
      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        1⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:2940
        • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
          "C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1276

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdesc-consensus
        Filesize

        2.7MB

        MD5

        a0db8a87f7b723266c8b04255da46b06

        SHA1

        4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf

        SHA256

        60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3

        SHA512

        41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

        Download Submit

      • C:\Users\Admin\AppData\Local\84tnjh4449\data\cached-microdescs.new
        Filesize

        20.4MB

        MD5

        e76e881bdf49960d785b91defbba620d

        SHA1

        88a85bf3f600a19300f0210aec2d3c82dbd95b9c

        SHA256

        243c599a31722299b00eb303085ea2cc70ed03669ce72b909d011c2ec5b9f4d9

        SHA512

        3cad85e574fed32c7c97a9a453b7b5b0571ccf1a2b9a56f16fbb9caccfc3a470bd0eb8c5b36d09521cc77f17a6cc1d86f40f84cd56555b25006f349531f425d7

        Download Submit

      • C:\Users\Admin\AppData\Local\84tnjh4449\host\hostname
        Filesize

        64B

        MD5

        a35d7ce3321a8d079e4db381cc608c4f

        SHA1

        fa9d27be4ed55dec7ae80d38acdfdceba67423d2

        SHA256

        cf591d478c7eebe45b27b7253dafd2872fb0b76b0631648789a70a7a8847ab3b

        SHA512

        8224f93e4f5c0aed773d5f8aa7044540297137755f235ba649394e9ab9bddc198de1845d56963aaf034021bb93461a1b812227d47ca5d9a5437ffebf02e6d161

        Download Submit

      • C:\Users\Admin\AppData\Local\84tnjh4449\port.dat
        Filesize

        4B

        MD5

        5db30d43f3791ae82e8f09070647e4cb

        SHA1

        3635ccff0b616d8ec9794689814d548ba7517031

        SHA256

        c4be3389854d34a894ee951d7b1a8e37807671b5d8701de81dd8ec71ada4bf0f

        SHA512

        c62f018c32c799808256bb52efaa5a2c97a47c0510ef64a3ac4a42cb30485c2f1f8244ffa6a95bf969c082ca0b55d0b362e10bddd46ab251fe6b94d034a2c8aa

        Download Submit

      • C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

        Download Submit

      • C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt
        Filesize

        218B

        MD5

        2b0ea7ff12a90e82eb09ed4e27f71326

        SHA1

        fc81186cfa18c2e3c92f24b967c9d0ef6f2481fb

        SHA256

        096c39ff32d9e44941b621fe069f0dcd8b0118ee257d268538f44564dc84bbb3

        SHA512

        aa9bda1e213f42beea5c1668db35c6e7b909508bbce616df227cb66e353236951763c8420868052bd102c9c7483d25ba9121a27d878726f5d0034e3f45d2b7b9

        Download Submit

      • C:\Users\Admin\AppData\Local\EsetSecurity\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe
        Filesize

        119KB

        MD5

        369204590ce91e77109e21a298753522

        SHA1

        e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

        SHA256

        a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

        SHA512

        bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647exe_JC.exe.log
        Filesize

        847B

        MD5

        486ebddc86ea8b3e965d390d22283a23

        SHA1

        eaffc047f067084867e8575c576a9ec60e094ba8

        SHA256

        50a57273ecb794e53b0622eb841341e2643c11f53fa47356e6e754ab2268171d

        SHA512

        0a50ba02250b38355a6f4fb94e40c61258a74031d9aea7cdf675f3e068f39ec0748ecf292aaf2f94b1963b9d66516ee79aa6c552617048e248774af0ff07189d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        354B

        MD5

        8e7748c887ba15eef1c868c4e321d03f

        SHA1

        3f8e1c09340c4378b5a1e382dd7f791270f93092

        SHA256

        81443cff5ac9d4ebea2bb0c449ecec75e2a362e69ff9da17c66563b4cad1ce82

        SHA512

        4368463d4541e19cffff7aea1fe390f23feab7d8d6b1ebfd676fbda53327e456cdfa201ff6df346e5b3d18d6adb848bdf7151927869270a71392afa09c630e2c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        472B

        MD5

        f004736dd9482c92a1e2f969aea4046d

        SHA1

        92f5bb1f8f0b1ed8518c122dd91fbd487707d99b

        SHA256

        69611b0221d4911e9a040f94c247eff90d404f1948b81acaad9473b93a813b8f

        SHA512

        92d4518595ecdf23a823597c117de0490483933ba2ebf136b8877baebfe58b6770160d195490cefba64107f75a332587389ca90d8fb9f571be4f1897cb8556ed

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        590B

        MD5

        092e977cf133f34255c1afa08ea57ca1

        SHA1

        9b22496a10c87cc77a8c6d3410be56ae6e349208

        SHA256

        89e4c151821cece11c077f6eea8ea760bdee1c8c33cc4b0f9b1835430e585b7e

        SHA512

        41479129dd7a838def51f68a5f05ff54a42c2c127db8c4fe30f1522613a9b36166da8493ae2e247a8026011df4b13c60613c58e97ef8741f415813a63367393e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
        Filesize

        236B

        MD5

        4ec96818d6c9b0bf686dc19933bf7ecd

        SHA1

        adba45960efbd78a20ac3640764653298ad9d122

        SHA256

        b5e948e3f2f1968db0d6de6068aa648405d2e2c807e06ff00c1ccdc8e97b3a33

        SHA512

        2b674fb106bb4efe15551c031c7bf6af7b1c7811dcaad40519284ee228ef78a91696bc3d5e062fa630e309381fa78c9b333d8c70f32ca873d5d3e265a27b3ffd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpAC8C.tmp
        Filesize

        13.3MB

        MD5

        89d2d5811c1aff539bb355f15f3ddad0

        SHA1

        5bb3577c25b6d323d927200c48cd184a3e27c873

        SHA256

        b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

        SHA512

        39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

        Download Submit

      • memory/1096-58-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1096-54-0x000001ED44F00000-0x000001ED44F10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1096-53-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1696-121-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1696-117-0x0000014E4CCA0000-0x0000014E4CCB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1696-116-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1840-12-0x00000282FAFD0000-0x00000282FAFE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1840-60-0x00000282FAFD0000-0x00000282FAFE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1840-59-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1840-11-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2476-95-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2476-90-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2476-91-0x000002093C4A0000-0x000002093C4B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2868-105-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2868-106-0x000001A9D9540000-0x000001A9D9550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2868-110-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2940-123-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2940-127-0x00007FFE40640000-0x00007FFE41102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4940-6-0x00007FFE413C0000-0x00007FFE41E82000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4940-4-0x0000018274E00000-0x0000018274E10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4940-0-0x000001825A840000-0x000001825A864000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4940-3-0x00007FFE413C0000-0x00007FFE41E82000-memory.dmp

        Filesize

        10.8MB

        Download