gurcu | b69d8840ba9740ad103758934ca3b45151244717ebb4b7d6b5a1acbcd0498f7f

General

Target

downloader (7).exe
Size

70.1MB
MD5

499602a4917bfdd7f90024b290b369b0
SHA1

f1621e8583bf40063e409a293f0c8cff37903033
SHA256

b69d8840ba9740ad103758934ca3b45151244717ebb4b7d6b5a1acbcd0498f7f
SHA512

a224437fb3205ce9da024c7b30415f39574658a43cdcbb4f1ccc077590d13a42d35243f002d91f653c0c4b7ea2072df2aae9878f4d36cbe1c88c9b38a2fd58ca
SSDEEP

393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qjsGg4GUo3Nb:lWoI7zGF5ahWc3Iml

Score

10^/10

gurcu agilenet evasion stealer themida trojan

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6748776206:AAEhhUNx0aGGcH_eEbjbmS7YdbGSRHXm-S4/sendMessage?chat_id=1314740060

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	XClient.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
1480	XClient.exe

Loads dropped DLL 1 IoCs

pid	Process
1480	XClient.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x0008000000009d9e-6.dat	agile_net
behavioral2/memory/1480-8-0x0000000000FF0000-0x00000000016F8000-memory.dmp	agile_net

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0004000000022d07-12.dat	themida
behavioral2/memory/1480-15-0x00007FF984540000-0x00007FF9850C4000-memory.dmp	themida
behavioral2/memory/1480-17-0x00007FF984540000-0x00007FF9850C4000-memory.dmp	themida
behavioral2/memory/1480-23-0x00007FF984540000-0x00007FF9850C4000-memory.dmp	themida
behavioral2/memory/1480-24-0x00007FF984540000-0x00007FF9850C4000-memory.dmp	themida
behavioral2/memory/1480-40-0x00007FF984540000-0x00007FF9850C4000-memory.dmp	themida
behavioral2/memory/1480-41-0x00007FF984540000-0x00007FF9850C4000-memory.dmp	themida
behavioral2/memory/1480-42-0x00007FF984540000-0x00007FF9850C4000-memory.dmp	themida
behavioral2/memory/1480-44-0x00007FF984540000-0x00007FF9850C4000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XClient.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1480	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1480	XClient.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1480	XClient.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	XClient.exe
Token: SeDebugPrivilege	1480	XClient.exe
Token: SeDebugPrivilege	3924	taskmgr.exe
Token: SeSystemProfilePrivilege	3924	taskmgr.exe
Token: SeCreateGlobalPrivilege	3924	taskmgr.exe
Token: 33	3924	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3924	taskmgr.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe
3924	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1480	XClient.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 728	1216	downloader (7).exe	91
PID 1216 wrote to memory of 728	1216	downloader (7).exe	91
PID 1216 wrote to memory of 440	1216	downloader (7).exe	92
PID 1216 wrote to memory of 440	1216	downloader (7).exe	92
PID 440 wrote to memory of 1480	440	cmd.exe	93
PID 440 wrote to memory of 1480	440	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\downloader (7).exe
"C:\Users\Admin\AppData\Local\Temp\downloader (7).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Xbox.exe""
  2⤵
  PID:728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\XClient.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2ee4191c-6d2b-4025-92a2-d6b9b7e459b2\AgileDotNetRT64.dll

Filesize
4.2MB

MD5
05b012457488a95a05d0541e0470d392

SHA1
74f541d6a8365508c794ef7b4ac7c297457f9ce3

SHA256
1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

SHA512
6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
7.0MB

MD5
4fdd953a53303a4dd38242fee3b3c53a

SHA1
8d962de4d2f783a35b2666755e97928e446ceb1e

SHA256
5243fc913cc5de56bb4a58e73f9ee9715a8779146737fc7c865d4d5390ae750f

SHA512
5329acc05f07c5e82222877183e1e197cd6506a1cea24017930bf9f03159ea86f6853fc057378a646e8da79713e06f0f147c4b76135f058a9f21f737d8359737

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xbox.exe

Filesize
36B

MD5
a1ca4bebcd03fafbe2b06a46a694e29a

SHA1
ffc88125007c23ff6711147a12f9bba9c3d197ed

SHA256
c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

SHA512
6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.lnk

Filesize
783B

MD5
caa8ce785a7793075336952fe267ee12

SHA1
2dfa2e41924db6debdd5c68a5a53857d86144409

SHA256
11f8dbe70c7154201d02ce2e686bde6289f02feea64814aae552eb6fa3e5ef80

SHA512
7f7065112bf9b28a23f8c13b879c21d5ddf117b48612339b6a29d6378f98915ecb09b1fb1e3ee3e88de72bae9f1389baa0f5f9e454c2b57655e333e26f7e6afa

Download Submit
memory/1480-18-0x00007FF987E20000-0x00007FF987F6E000-memory.dmp

Filesize
1.3MB

Download
memory/1480-17-0x00007FF984540000-0x00007FF9850C4000-memory.dmp

Filesize
11.5MB

Download
memory/1480-15-0x00007FF984540000-0x00007FF9850C4000-memory.dmp

Filesize
11.5MB

Download
memory/1480-23-0x00007FF984540000-0x00007FF9850C4000-memory.dmp

Filesize
11.5MB

Download
memory/1480-24-0x00007FF984540000-0x00007FF9850C4000-memory.dmp

Filesize
11.5MB

Download
memory/1480-44-0x00007FF984540000-0x00007FF9850C4000-memory.dmp

Filesize
11.5MB

Download
memory/1480-42-0x00007FF984540000-0x00007FF9850C4000-memory.dmp

Filesize
11.5MB

Download
memory/1480-41-0x00007FF984540000-0x00007FF9850C4000-memory.dmp

Filesize
11.5MB

Download
memory/1480-8-0x0000000000FF0000-0x00000000016F8000-memory.dmp

Filesize
7.0MB

Download
memory/1480-40-0x00007FF984540000-0x00007FF9850C4000-memory.dmp

Filesize
11.5MB

Download
memory/3924-37-0x0000021185560000-0x0000021185561000-memory.dmp

Filesize
4KB

Download
memory/3924-34-0x0000021185560000-0x0000021185561000-memory.dmp

Filesize
4KB

Download
memory/3924-33-0x0000021185560000-0x0000021185561000-memory.dmp

Filesize
4KB

Download
memory/3924-32-0x0000021185560000-0x0000021185561000-memory.dmp

Filesize
4KB

Download
memory/3924-31-0x0000021185560000-0x0000021185561000-memory.dmp

Filesize
4KB

Download
memory/3924-35-0x0000021185560000-0x0000021185561000-memory.dmp

Filesize
4KB

Download
memory/3924-36-0x0000021185560000-0x0000021185561000-memory.dmp

Filesize
4KB

Download
memory/3924-26-0x0000021185560000-0x0000021185561000-memory.dmp

Filesize
4KB

Download
memory/3924-27-0x0000021185560000-0x0000021185561000-memory.dmp

Filesize
4KB

Download
memory/3924-25-0x0000021185560000-0x0000021185561000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads