General

  • Target

    https://mega.nz/file/8jVhQAhC#ODXNzG4x8v3YT9b76ZytNrFdz4zBOX7t4ANzja-Akw0

  • Sample

    240907-l6xagayeph

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/sendMessage?chat_id=5597821522

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/sendMessage?chat_id=5597821522

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdate

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347524

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347525

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347526

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347527

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347528

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347529

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347530

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347531

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347532

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347533

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347534

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347535

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347536

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347537

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347538

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347539

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347540

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347541

Targets

    • Target

      https://mega.nz/file/8jVhQAhC#ODXNzG4x8v3YT9b76ZytNrFdz4zBOX7t4ANzja-Akw0

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • ToxicEye

      ToxicEye is a trojan written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks