General

  • Target

    SyncSpoofer.exe

  • Size

    276KB

  • Sample

    240827-t2seqasbmr

  • MD5

    5a8afe7bfd11728c32066c4290eeddc7

  • SHA1

    f2064bbdec287d61722ef35e511b4090212cd1a8

  • SHA256

    92c799a2fd29060a44558a153d1ff5866e420e46b35bdd4546c782c17d4bb50f

  • SHA512

    e03994e666aa7ff84400e86e4cc3db5a77a5475e1961b553f16dbc293160f58f196b0ab6fb7be4ba34b1d030969f2f94ae80dc0c423f3ec015621bf987b796cb

  • SSDEEP

    1536:hJ99JW77A9oXFY+w67Vh7O9H/squacb3P12NETDLiaSKry3bgDBsvVeXBdZs4o7M:vSFHh69HEZJRTDLiaSKreumVeBs4o

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7308213044:AAFm9yNR1WX2-QnC_ZcUdYHkkJGg7179JYE/sendMessag

Targets

    • Target

      SyncSpoofer.exe

    • Size

      276KB

    • MD5

      5a8afe7bfd11728c32066c4290eeddc7

    • SHA1

      f2064bbdec287d61722ef35e511b4090212cd1a8

    • SHA256

      92c799a2fd29060a44558a153d1ff5866e420e46b35bdd4546c782c17d4bb50f

    • SHA512

      e03994e666aa7ff84400e86e4cc3db5a77a5475e1961b553f16dbc293160f58f196b0ab6fb7be4ba34b1d030969f2f94ae80dc0c423f3ec015621bf987b796cb

    • SSDEEP

      1536:hJ99JW77A9oXFY+w67Vh7O9H/squacb3P12NETDLiaSKry3bgDBsvVeXBdZs4o7M:vSFHh69HEZJRTDLiaSKreumVeBs4o

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

    • PureLog Stealer payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks