Overview

overview

10

Static

static

3

downloader (5).exe

windows7-x64

9

downloader (5).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    downloader (5).exe

  • Size

    70.1MB

  • MD5

    990cb2c6cadc8c36bdf40fb70419f141

  • SHA1

    18b2151d37dd6dea520d92127fc1518a8f344601

  • SHA256

    adaaba0fa5907074e6e35be2d3f1bf97e32b7630ba8bb9eb91797c0795c37e2e

  • SHA512

    a15bd95e953d2c9e4361535f3097e07a049419e14456e54f22d38295e3348e149b1dc703097f00f00f500b7684b63ed1f86dba74139cb9e10c9ab59f55bfb9f9

  • SSDEEP

    393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qjsGg4GUo3NV:lWoI7zGF5ahWc3ImL

Score
10/10
gurcuagilenetevasionstealerthemidatrojan

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6748776206:AAEhhUNx0aGGcH_eEbjbmS7YdbGSRHXm-S4/sendMessage?chat_id=1314740060

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Themida packer 16 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\downloader (5).exe
    "C:\Users\Admin\AppData\Local\Temp\downloader (5).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Xbox.exe""
      2⤵
        PID:4432
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\XClient.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3488
        • C:\Users\Admin\AppData\Local\Temp\XClient.exe
          "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1676
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1464
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
      Filesize

      64KB

      MD5

      d2fb266b97caff2086bf0fa74eddb6b2

      SHA1

      2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

      SHA256

      b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

      SHA512

      c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

      Download Submit

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
      Filesize

      4B

      MD5

      f49655f856acb8884cc0ace29216f511

      SHA1

      cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

      SHA256

      7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

      SHA512

      599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

      Download Submit

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
      Filesize

      944B

      MD5

      6bd369f7c74a28194c991ed1404da30f

      SHA1

      0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

      SHA256

      878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

      SHA512

      8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2ee4191c-6d2b-4025-92a2-d6b9b7e459b2\AgileDotNetRT64.dll
      Filesize

      4.2MB

      MD5

      05b012457488a95a05d0541e0470d392

      SHA1

      74f541d6a8365508c794ef7b4ac7c297457f9ce3

      SHA256

      1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

      SHA512

      6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      Filesize

      7.0MB

      MD5

      4fdd953a53303a4dd38242fee3b3c53a

      SHA1

      8d962de4d2f783a35b2666755e97928e446ceb1e

      SHA256

      5243fc913cc5de56bb4a58e73f9ee9715a8779146737fc7c865d4d5390ae750f

      SHA512

      5329acc05f07c5e82222877183e1e197cd6506a1cea24017930bf9f03159ea86f6853fc057378a646e8da79713e06f0f147c4b76135f058a9f21f737d8359737

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Xbox.exe
      Filesize

      36B

      MD5

      a1ca4bebcd03fafbe2b06a46a694e29a

      SHA1

      ffc88125007c23ff6711147a12f9bba9c3d197ed

      SHA256

      c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

      SHA512

      6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.lnk
      Filesize

      783B

      MD5

      c9dcdeb5283910e65b714c565e2d2208

      SHA1

      9d632aa274aff665ebdb232704cb88c8dfa695b2

      SHA256

      3eaf030cf69af3eee06bcebe138de7f5e6ca41a770a93b917d068c1ebeb399eb

      SHA512

      6bf714caaae82855bec3bdf7224ea207b998aa7e4f4a93c3cf555b8105e25fabf1d0351d2355c6af1a261488a3cc8481c58b357a3ed1261060f8569b017e446f

      Download Submit

    • memory/1464-24-0x0000024788370000-0x0000024788371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1464-30-0x0000024788370000-0x0000024788371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1464-26-0x0000024788370000-0x0000024788371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1464-25-0x0000024788370000-0x0000024788371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1464-36-0x0000024788370000-0x0000024788371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1464-35-0x0000024788370000-0x0000024788371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1464-34-0x0000024788370000-0x0000024788371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1464-33-0x0000024788370000-0x0000024788371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1464-32-0x0000024788370000-0x0000024788371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1464-31-0x0000024788370000-0x0000024788371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1676-42-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-61-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-39-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-18-0x00007FF9E3D70000-0x00007FF9E3EBE000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1676-67-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-66-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-65-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-17-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-15-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-8-0x0000000000150000-0x0000000000858000-memory.dmp

      Filesize

      7.0MB

      Download

    • memory/1676-64-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-63-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-62-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-23-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-60-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-59-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/1676-57-0x00007FF9E0350000-0x00007FF9E0ED4000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4540-50-0x000001E96F560000-0x000001E96F561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4540-52-0x000001E96F560000-0x000001E96F561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4540-53-0x000001E96F560000-0x000001E96F561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4540-54-0x000001E96F560000-0x000001E96F561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4540-55-0x000001E96F560000-0x000001E96F561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4540-51-0x000001E96F560000-0x000001E96F561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4540-44-0x000001E96F560000-0x000001E96F561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4540-45-0x000001E96F560000-0x000001E96F561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4540-43-0x000001E96F560000-0x000001E96F561000-memory.dmp

      Filesize

      4KB

      Download