Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

98512fdc1d...9c.exe

windows7-x64

10

98512fdc1d...9c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    98512fdc1d3b34e2196ca5b34e14f29c.exe

  • Size

    4.8MB

  • Sample

    241005-hqdawa1gmn

  • MD5

    98512fdc1d3b34e2196ca5b34e14f29c

  • SHA1

    460f2bbed2bc7419c1664d7f8a9e284e5b9bea83

  • SHA256

    1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

  • SHA512

    ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0

  • SSDEEP

    3072:patWqvozZqlXS99bMRfCh+T5bOCYEu05ukO3JJ:pMWqcIXS99bMZ5sCYE7O3P

Score
10/10
gurcucollectiondiscoverypersistencephishingprivilege_escalationspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4573656473

http://185.80.128.17:8080

http://206.166.251.4:8080

http://167.99.138.249:8080

http://46.4.73.118:9000

http://206.189.109.146:80

http://194.164.198.113:8080

http://45.82.65.63:80

https://5.196.181.135:443

http://95.216.147.179:80

http://185.217.98.121:8080

http://116.202.101.219:8080

http://185.217.98.121:80

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

https://44.228.161.50:443

https://154.9.207.142:443

http://66.42.56.128:80

http://8.219.110.16:9999

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4573656473

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendDocumen

Targets

    • Target

      98512fdc1d3b34e2196ca5b34e14f29c.exe

    • Size

      4.8MB

    • MD5

      98512fdc1d3b34e2196ca5b34e14f29c

    • SHA1

      460f2bbed2bc7419c1664d7f8a9e284e5b9bea83

    • SHA256

      1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

    • SHA512

      ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0

    • SSDEEP

      3072:patWqvozZqlXS99bMRfCh+T5bOCYEu05ukO3JJ:pMWqcIXS99bMZ5sCYE7O3P

    Score
    10/10
    gurcucollectiondiscoverypersistencephishingprivilege_escalationspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • A potential corporate email address has been identified in the URL: 0psWt_Admin@JSMURNPT_report.wsr

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

1
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.