Overview

overview

10

Static

static

10

Cs2SteamEmul.exe

windows10-1703-x64

10

Cs2SteamEmul.exe

windows7-x64

10

Cs2SteamEmul.exe

windows10-1703-x64

10

Cs2SteamEmul.exe

windows10-2004-x64

10

Cs2SteamEmul.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Cs2SteamEmul.dll

  • Size

    2.8MB

  • Sample

    240723-exxfjsxfrq

  • MD5

    d48669a634489ed4baf9e84aedd9d2bd

  • SHA1

    e7b7bdf6e10584eb07547e7237bd654b42abcf84

  • SHA256

    4415d417dd1b3ccd3c86fa55cf3add99e493218cb0c1405efaf8e55ac7b5c666

  • SHA512

    d902e3d77f7cc33f806b1e298fb51905636bb9ea83cf5a030c18ed33400e656edf3223a0ff4f6e7fcef20b427413cbf5a5132b914d37f476cd4ad6d90db46a90

  • SSDEEP

    49152:8bA3W4Dw1beHhL/rBnVQzQ2Bq5U+0HE26wyiK4Csx7aPNUmTk:8b6PHhXB6e2dHfxJ1xu/k

Score
10/10
dcratgurcuevasioninfostealerpersistenceratstealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6979274084:AAEyYu9GraaLRF3G8cNhU_3K2BT8GSrxiUE/sendPhoto?chat_id=5314031191&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%2062477bf91d87e9a7b3a98d9e37efb8429a9aedf3%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20XZBQXJLF%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CWindows%5CSystem32%5Crestore%5CSystem.ex

https://api.telegram.org/bot6979274084:AAEyYu9GraaLRF3G8cNhU_3K2BT8GSrxiUE/sendPhoto?chat_id=5314031191&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20645063668d17ff5429f7855e369fa0c38d2b1733%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20WNIKVPKE%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CUsers%5CAll%20Users%5CMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38%5Cupdates%5C308046B0AF4A39CB%5Cwinlogon.ex

Targets

    • Target

      Cs2SteamEmul.dll

    • Size

      2.8MB

    • MD5

      d48669a634489ed4baf9e84aedd9d2bd

    • SHA1

      e7b7bdf6e10584eb07547e7237bd654b42abcf84

    • SHA256

      4415d417dd1b3ccd3c86fa55cf3add99e493218cb0c1405efaf8e55ac7b5c666

    • SHA512

      d902e3d77f7cc33f806b1e298fb51905636bb9ea83cf5a030c18ed33400e656edf3223a0ff4f6e7fcef20b427413cbf5a5132b914d37f476cd4ad6d90db46a90

    • SSDEEP

      49152:8bA3W4Dw1beHhL/rBnVQzQ2Bq5U+0HE26wyiK4Csx7aPNUmTk:8b6PHhXB6e2dHfxJ1xu/k

    Score
    10/10
    dcratevasioninfostealerpersistenceratgurcustealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Enterprise v15

Tasks