General

  • Target

    Vedani-Crypter-Lifetime-Activated-vedani-crypter.zip

  • Size

    21.5MB

  • Sample

    240901-rc198asern

  • MD5

    9b612619b33655c48129ee699dcaed21

  • SHA1

    9cf50756e294db99146ec117d256180def208afd

  • SHA256

    4918d0136cfa5fd6b2cdca204444d7676d9f86b8fba1491b9e996a06f4192eac

  • SHA512

    981b309802fd068feeefd048f7e3058bbdd5543a0ab118196efdc0f865b3882217c303dc1cd7443488c79e6bbdf24bd70623834ae36e9df215334c9e6f452910

  • SSDEEP

    393216:AlXIGBEqsBut1NrT5BGkAqaD5VjcRSzbNPmRTzOyS7a2KRNhgn4DPyotwqM76t/p:A0ot1Nu1xjcR/ZQmvTwqM72/ME

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendMessage?chat_id=2024893777

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/getUpdates?offset=-

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      Vedani-Crypter-Lifetime-Activated-vedani-crypter.zip

    • Size

      21.5MB

    • MD5

      9b612619b33655c48129ee699dcaed21

    • SHA1

      9cf50756e294db99146ec117d256180def208afd

    • SHA256

      4918d0136cfa5fd6b2cdca204444d7676d9f86b8fba1491b9e996a06f4192eac

    • SHA512

      981b309802fd068feeefd048f7e3058bbdd5543a0ab118196efdc0f865b3882217c303dc1cd7443488c79e6bbdf24bd70623834ae36e9df215334c9e6f452910

    • SSDEEP

      393216:AlXIGBEqsBut1NrT5BGkAqaD5VjcRSzbNPmRTzOyS7a2KRNhgn4DPyotwqM76t/p:A0ot1Nu1xjcR/ZQmvTwqM72/ME

    Score
    1/10
    • Target

      Vedani-Crypter-Lifetime-Activated-vedani-crypter/LICENSE

    • Size

      1KB

    • MD5

      bdf7d963ee735052782197286d93cb2d

    • SHA1

      7830cc7bc7a96a7aebd06055082f5e6d9843e7c8

    • SHA256

      73ba901ef2ae3d89d55362e92dad06d1182542c5f740be2098e5ed82095f37b6

    • SHA512

      1838a013d77458974829ab7f0fa7bca4221f300323f2cb9272009df35cfdfa868da150dfc674ff1e877387438f8483df2312d0c42e643073a03b6687a77b143e

    Score
    1/10
    • Target

      Vedani-Crypter-Lifetime-Activated-vedani-crypter/README.md

    • Size

      518B

    • MD5

      1ef1b10772beddb317d01e565c007e0d

    • SHA1

      b8f8e66a806b5cb57a125730c70eb3da2dc0f543

    • SHA256

      09c769ec0ce7a58f798994e447c7a5164fcf6be2bed1041d9c0ea5817a7d7ced

    • SHA512

      4cf56ccbe6a15bde7653ccc6be1d17621448c9ebb22c3f909509262704900e07a960843174f5d8299ebb2e0d137955df68fd79b6889fc75e15dee0c7863aa3ef

    Score
    3/10
    • Target

      Vedani-Crypter-Lifetime-Activated-vedani-crypter/Vedani-Crypter/Tutorial.mp4

    • Size

      9.0MB

    • MD5

      16bc44c0f15b318d59b6c7aeab1d4147

    • SHA1

      afce70ee4b4a214f1ead730ef639e7589de1e0d0

    • SHA256

      a39741d4f3aefa5f1722cedf50c9f6029af26c357b537a6ec5ec4a2ddb728269

    • SHA512

      5a3cc76f7cfa7a9f8de2b032cccf6c24d33bcf2a8848dbf17328447819e59f139c043ab442cffb1d9639050ad9d3fa82ff3e8c93403e7ddfbcc2385c83d90d40

    • SSDEEP

      196608:HWzTVkH2EpJD9AX5hkxk4konPvW8Q5iOY75DBCbLqEidX+w1tg:uVkHlJD2rkxk4/nPu8uildkL+Ftg

    Score
    6/10
    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      Vedani-Crypter-Lifetime-Activated-vedani-crypter/Vedani-Crypter/Vedani-Crypter.exe

    • Size

      6.2MB

    • MD5

      f982e40c831cac8ad143723b49990772

    • SHA1

      e50f97163936e22cf9012b883f73a0eeaf4d90ad

    • SHA256

      13a169db433164fda1023703b80b6dba5fbd1bb1b2fa37a71a0749024f783c2b

    • SHA512

      6c1de77ae2e5376515ad278abdd2d539e9200b3bf1640174e721fef9a9bb2e8f87766b1d62e54917aaea331b839bcba798ca50ba06fa4f0602f12a75bcd63cc7

    • SSDEEP

      98304:RM3epzb71QGQCPDbZfHayCb7BJ5mjwNwwMeZYobSr+v+Z5OwXbJ:RMsdQmRfaycBIGpEogMwXb

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

    • Target

      test.pyc

    • Size

      883B

    • MD5

      9829a76c392c1eff6118cfa867a59740

    • SHA1

      dda3868565de67012f306ea550a26bcdc440126c

    • SHA256

      cad358179be1bc7745ee7cb2fea6f0131d3f7ef7ec1df7767379e1fffbd1e629

    • SHA512

      3580bc1618967038c6527c8d17713240a6e34cf2f1382a1e1f756b1bc0595d7d90847677d3c0cd90358588aa6bbc56e871a57ca5bbbe725d2dade8e50c0fb499

    Score
    3/10
    • Target

      Vedani-Crypter-Lifetime-Activated-vedani-crypter/Vedani-Crypter/XanderUI.dll

    • Size

      185KB

    • MD5

      b7498196f0a200cc729703e6127eb3cb

    • SHA1

      1fb5e3127987b38c1e9309f7a65dd2f45a5f5754

    • SHA256

      cdf2ff8c0970f4144500c81c5678055ded70c05285ba3d3ff04e44fa78d9ce64

    • SHA512

      0922ebc190c7af93655c833b8e3ba3f98d49011dbbc822f633813d2e47db8b7f1a6a22fbfcb08d5fcebc11bd90a9d3392fe1c40af7391048c70d273ef17a86f1

    • SSDEEP

      3072:uDcVO/mtFm8mO2PnOhVEeYmDjQj+O+R+Th8hQLpSfJc6AbD0bRQpk8N6aeDrFME1:u5MDjQj+OwEhMAbDQypk8NQ1lqx5XYdR

    Score
    1/10
    • Target

      Vedani-Crypter-Lifetime-Activated-vedani-crypter/Vedani-Crypter/libs/obsfucation.dat

    • Size

      5.6MB

    • MD5

      612173309c257f2385cdc05c2f8f4ecc

    • SHA1

      e27c24d9a54df063a2cc22e687c9e5f08e0181cb

    • SHA256

      c9a0aea64ee81d3914980c968f2da7e45b17d008e81576b25fbc3c8415d1d899

    • SHA512

      79dad7c537b6573da25627c9379a562db337040c1f845e7cdb5cebe27c232f27476e2ab356353c571b617723aac61c869ebc1758615b32cad87fbfac1deb9d8b

    • SSDEEP

      98304:52Zl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:5fOuK6mn9NzgMoYkSIvUcwti7TQlvciE

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

    • Target

      Vedani-Crypter-Lifetime-Activated-vedani-crypter/Vedani-Crypter/libs/source.dat

    • Size

      5.2MB

    • MD5

      e7b448f71bfabbcf84fc5f7c8cc219a6

    • SHA1

      fe5f861a03207da4fe6b4093bbdc5588e6a0fe07

    • SHA256

      522497cf6abdb91e9d64e0bc2f0ddedab87f74eefccb43a9fe222cf4bba570f0

    • SHA512

      c1a5f8008b5a421db803447d7b443c99bf081920347be1fa417279b3c1857362e262d32bab1b893684daa0cbb8a26735090d28efb188f81351889b7f56a48b06

    • SSDEEP

      49152:ASC8LlBhwRPbfiEH+o+rRLxyFXVGgx2BpWISD9EJX1NpLR2tpdmFRsOYau9SkT8u:xTLHpEHN+VFyFVGg8BXlio67+r84fC

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks