Overview

overview

10

Static

static

10

6cb8969c2e...0d.exe

windows7-x64

10

6cb8969c2e...0d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1d98bb52c2eeac75f2e83e8b0b88459f.bin

  • Size

    1.3MB

  • Sample

    240831-bgna6awgrg

  • MD5

    7f6d6a119c49376a4497b4b80c40cc5d

  • SHA1

    68137e634e5ae8b16243fa6b02a40229bcf4b2f1

  • SHA256

    f9e0afec65e6aeb4af35617e7967b028a77e6b5c10de2b7b064e9337d8f1ef4d

  • SHA512

    2ece8c9bf0da45795455a7af56c8fb0bdda6c7fca75a5551c12506fd51ed4e308246df08c1f8187d525a9b72d802a8b8f21fd40be02adf894af0e563e110000f

  • SSDEEP

    24576:xPMerAcy2uldrZx4rofTGK27xOMqwaJGI7UUboz51Yug7S7ZTEIwSfBYc85d+W0r:VMwAcy2o9x4+72VvmT72YuKS7ZTvjYb6

Score
10/10
dcratgurcucredential_accessdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7003920761:AAHa5M8QU-hSplH3Y14DWsBpJC5f2Uf6e-I/sendPhoto?chat_id=5941973081&caption=%D0%90%D0%9B%D0%9E%20%D0%91%D0%9E%D0%91%D0%81%D0%A0%20%D0%9D%D0%90%20%D0%A0%D0%90%D0%A2%D0%9A%D0%95%0A%E2%80%A2%20ID%3A%203d8e5917fe2dd0ce7004da6939535cb2d9b7f569%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20PVMNUDVD%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CUsers%5CDefault%5CPrintHood%5Cfontdrvhost.ex

Targets

    • Target

      6cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d.exe

    • Size

      1.7MB

    • MD5

      1d98bb52c2eeac75f2e83e8b0b88459f

    • SHA1

      ab0db0eca10717ad295b4c015db9d51c20bda41d

    • SHA256

      6cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d

    • SHA512

      bb05cf51b6b7b4318bf81b9cc5831e558018d7f2347429ca4513454f06ff3ba5c77b90f82fe533dd5ca60139b059daf65d752b5648c702d2ff4af6e648421e26

    • SSDEEP

      24576:1v/SzhQO98aL85esKGpBAYMygXEO9rjZfyfs9o+cayR4k4m2WVux/Egw/u:1v/ScA8oGAv5/c14rvuZx

    Score
    10/10
    dcratcredential_accessdiscoveryinfostealerpersistenceratspywarestealergurcu

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks