Overview

overview

10

Static

static

3

Update.exe

windows7-x64

9

Update.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Update.exe

  • Size

    5.6MB

  • Sample

    240815-q667wsvdpd

  • MD5

    b8703418e6c3d1ccd83b8d178ab9f4c9

  • SHA1

    6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6

  • SHA256

    d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e

  • SHA512

    75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f

  • SSDEEP

    98304:sbl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucf:s6OuK6mn9NzgMoYkSIvUcwti7TQlvciA

Score
10/10
gurcucredential_accessdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendMessage?chat_id=2024893777

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/getUpdates?offset=-

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      Update.exe

    • Size

      5.6MB

    • MD5

      b8703418e6c3d1ccd83b8d178ab9f4c9

    • SHA1

      6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6

    • SHA256

      d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e

    • SHA512

      75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f

    • SSDEEP

      98304:sbl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucf:s6OuK6mn9NzgMoYkSIvUcwti7TQlvciA

    Score
    10/10
    credential_accessdiscoverypersistencespywarestealergurcu

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks