General

  • Target

    seo-marketing.exe

  • Size

    60.2MB

  • Sample

    240806-gahd8avdle

  • MD5

    2bf7d4849bcf39691c8c49ed1ac92f76

  • SHA1

    f2c477fa8d31b6b4f69ec910d81edc230a696d8e

  • SHA256

    133e7b9b8be02554a282cc51be5a419d7c867bf0ad30939077121029843d4cd2

  • SHA512

    b757b804c82e061c37aaa6e059f0a6a72da57beeddbf16ea898be4db60afddedb75051a512a11fa69a16120cd9b6c04e1646b7181f501ce3b785b4f995a864e0

  • SSDEEP

    1572864:OgvxU1VpeCDiyPKKdBHYSA+H438beTcGleoL:Ogy1VrDmKdY38beTcloL

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7373326479:AAFc-qF_6b4d0zpxZKNAYyps6FvSKGESa2U/sendMessage?chat_id=-4262874204

Targets

    • Target

      seo-marketing.exe

    • Size

      60.2MB

    • MD5

      2bf7d4849bcf39691c8c49ed1ac92f76

    • SHA1

      f2c477fa8d31b6b4f69ec910d81edc230a696d8e

    • SHA256

      133e7b9b8be02554a282cc51be5a419d7c867bf0ad30939077121029843d4cd2

    • SHA512

      b757b804c82e061c37aaa6e059f0a6a72da57beeddbf16ea898be4db60afddedb75051a512a11fa69a16120cd9b6c04e1646b7181f501ce3b785b4f995a864e0

    • SSDEEP

      1572864:OgvxU1VpeCDiyPKKdBHYSA+H438beTcGleoL:Ogy1VrDmKdY38beTcloL

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks