Overview

overview

10

Static

static

10

Cs2SteamEmul.exe

windows10-1703-x64

10

Cs2SteamEmul.exe

windows7-x64

10

Cs2SteamEmul.exe

windows10-1703-x64

10

Cs2SteamEmul.exe

windows10-2004-x64

10

Cs2SteamEmul.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Cs2SteamEmul.dll

  • Size

    2.8MB

  • Sample

    240723-exxfjsxfrq

  • MD5

    d48669a634489ed4baf9e84aedd9d2bd

  • SHA1

    e7b7bdf6e10584eb07547e7237bd654b42abcf84

  • SHA256

    4415d417dd1b3ccd3c86fa55cf3add99e493218cb0c1405efaf8e55ac7b5c666

  • SHA512

    d902e3d77f7cc33f806b1e298fb51905636bb9ea83cf5a030c18ed33400e656edf3223a0ff4f6e7fcef20b427413cbf5a5132b914d37f476cd4ad6d90db46a90

  • SSDEEP

    49152:8bA3W4Dw1beHhL/rBnVQzQ2Bq5U+0HE26wyiK4Csx7aPNUmTk:8b6PHhXB6e2dHfxJ1xu/k

Score
10/10
dcratgurcuevasioninfostealerpersistenceratstealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6979274084:AAEyYu9GraaLRF3G8cNhU_3K2BT8GSrxiUE/sendPhoto?chat_id=5314031191&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%2062477bf91d87e9a7b3a98d9e37efb8429a9aedf3%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20XZBQXJLF%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CWindows%5CSystem32%5Crestore%5CSystem.ex

https://api.telegram.org/bot6979274084:AAEyYu9GraaLRF3G8cNhU_3K2BT8GSrxiUE/sendPhoto?chat_id=5314031191&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20645063668d17ff5429f7855e369fa0c38d2b1733%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20WNIKVPKE%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CUsers%5CAll%20Users%5CMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38%5Cupdates%5C308046B0AF4A39CB%5Cwinlogon.ex

Targets

    • Target

      Cs2SteamEmul.dll

    • Size

      2.8MB

    • MD5

      d48669a634489ed4baf9e84aedd9d2bd

    • SHA1

      e7b7bdf6e10584eb07547e7237bd654b42abcf84

    • SHA256

      4415d417dd1b3ccd3c86fa55cf3add99e493218cb0c1405efaf8e55ac7b5c666

    • SHA512

      d902e3d77f7cc33f806b1e298fb51905636bb9ea83cf5a030c18ed33400e656edf3223a0ff4f6e7fcef20b427413cbf5a5132b914d37f476cd4ad6d90db46a90

    • SSDEEP

      49152:8bA3W4Dw1beHhL/rBnVQzQ2Bq5U+0HE26wyiK4Csx7aPNUmTk:8b6PHhXB6e2dHfxJ1xu/k

    Score
    10/10
    dcratevasioninfostealerpersistenceratgurcustealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.