Overview

overview

10

Static

static

1

FACEITInst...64.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FACEITInstaller_64.exe

  • Size

    98.5MB

  • Sample

    240701-rajbmavgmg

  • MD5

    87cc3ad09b037bd5d247a41c27a783b1

  • SHA1

    3ac385fca2f6ccfe9289b5012f00b21f07be7bc1

  • SHA256

    6924a46b113d08d047f3e26c349c025e5f575afd7b1a7719c0000d0c570cce6a

  • SHA512

    1a80b17fbf18781faf1af18994a81a86e3527d9bb66b6d9bcf998776d30663d3b18f6139c74937fc9fa4d7395c5ca4610ca82c2dfe7e4253411c738220f49820

  • SSDEEP

    1572864:xXO5SOCWB3u+QL6pYCP3zGEYdck4sE1VG8RGEkB3cU1XtXS3EiTkxtvuthFJZo18:x+5Zj3TYdsv94B5J+YbWPJZCv5hisZT

Score
10/10
gurcudiscoveryevasionexecutionpersistencestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6402914593:AAHQGt4Do-nXCxx7KnbaSr0XWFwxa83Kfd0/sendMessage?chat_id=1392198980

https://api.telegram.org/bot6402914593:AAHQGt4Do-nXCxx7KnbaSr0XWFwxa83Kfd0/sendMessage?chat_id=582489852

https://api.telegram.org/bot6402914593:AAHQGt4Do-nXCxx7KnbaSr0XWFwxa83Kfd0/sendDocument?chat_id=1392198980&caption=Andrew%20FA

Targets

    • Target

      FACEITInstaller_64.exe

    • Size

      98.5MB

    • MD5

      87cc3ad09b037bd5d247a41c27a783b1

    • SHA1

      3ac385fca2f6ccfe9289b5012f00b21f07be7bc1

    • SHA256

      6924a46b113d08d047f3e26c349c025e5f575afd7b1a7719c0000d0c570cce6a

    • SHA512

      1a80b17fbf18781faf1af18994a81a86e3527d9bb66b6d9bcf998776d30663d3b18f6139c74937fc9fa4d7395c5ca4610ca82c2dfe7e4253411c738220f49820

    • SSDEEP

      1572864:xXO5SOCWB3u+QL6pYCP3zGEYdck4sE1VG8RGEkB3cU1XtXS3EiTkxtvuthFJZo18:x+5Zj3TYdsv94B5J+YbWPJZCv5hisZT

    Score
    10/10
    gurcudiscoveryevasionexecutionpersistencestealer

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Stops running service(s)

      evasionexecution

    • Adds Run key to start application

      persistence

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks