General

  • Target

    98512fdc1d3b34e2196ca5b34e14f29c.exe

  • Size

    4.8MB

  • Sample

    241005-hqdawa1gmn

  • MD5

    98512fdc1d3b34e2196ca5b34e14f29c

  • SHA1

    460f2bbed2bc7419c1664d7f8a9e284e5b9bea83

  • SHA256

    1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

  • SHA512

    ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0

  • SSDEEP

    3072:patWqvozZqlXS99bMRfCh+T5bOCYEu05ukO3JJ:pMWqcIXS99bMZ5sCYE7O3P

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4573656473

http://185.80.128.17:8080

http://206.166.251.4:8080

http://167.99.138.249:8080

http://46.4.73.118:9000

http://206.189.109.146:80

http://194.164.198.113:8080

http://45.82.65.63:80

https://5.196.181.135:443

http://95.216.147.179:80

http://185.217.98.121:8080

http://116.202.101.219:8080

http://185.217.98.121:80

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

https://44.228.161.50:443

https://154.9.207.142:443

http://66.42.56.128:80

http://8.219.110.16:9999

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4573656473

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendDocumen

Targets

    • Target

      98512fdc1d3b34e2196ca5b34e14f29c.exe

    • Size

      4.8MB

    • MD5

      98512fdc1d3b34e2196ca5b34e14f29c

    • SHA1

      460f2bbed2bc7419c1664d7f8a9e284e5b9bea83

    • SHA256

      1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

    • SHA512

      ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0

    • SSDEEP

      3072:patWqvozZqlXS99bMRfCh+T5bOCYEu05ukO3JJ:pMWqcIXS99bMZ5sCYE7O3P

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • A potential corporate email address has been identified in the URL: 0psWt_Admin@JSMURNPT_report.wsr

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks