Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • submitted
    05-10-2024 06:56

General

  • Target

    98512fdc1d3b34e2196ca5b34e14f29c.exe

  • Size

    4.8MB

  • MD5

    98512fdc1d3b34e2196ca5b34e14f29c

  • SHA1

    460f2bbed2bc7419c1664d7f8a9e284e5b9bea83

  • SHA256

    1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

  • SHA512

    ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0

  • SSDEEP

    3072:patWqvozZqlXS99bMRfCh+T5bOCYEu05ukO3JJ:pMWqcIXS99bMZ5sCYE7O3P

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4573656473

http://185.80.128.17:8080

http://206.166.251.4:8080

http://167.99.138.249:8080

http://46.4.73.118:9000

http://206.189.109.146:80

http://194.164.198.113:8080

http://45.82.65.63:80

https://5.196.181.135:443

http://95.216.147.179:80

http://185.217.98.121:8080

http://116.202.101.219:8080

http://185.217.98.121:80

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

https://44.228.161.50:443

https://154.9.207.142:443

http://66.42.56.128:80

http://8.219.110.16:9999

Signatures

  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

  • A potential corporate email address has been identified in the URL: 0psWt_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 1Ry4E_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 3AHgj_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 3dEIS_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 3vZQd_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 47eBR_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 4PdEF_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 4qsoj_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 6VJNy_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 7F1l2_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 7vyFH_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 8L20V_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: 8hHRi_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: Ax1YR_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: CbqLp_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: El5vI_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: EwYXF_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: Ezgug_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: F06lq_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: FALPg_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: GQG67_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: INq9R_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: Kw270_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: Lf1mB_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: MOHDh_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: Makje_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: Nowvq_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: OYlmA_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: Ouxjk_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: Ozz8d_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: P68e8_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: P7fPA_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: PRVfy_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: R22Ku_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: R4rDY_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: SUBDs_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: Tlh8j_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: V00Ab_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: VZAkn_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: ZT5Xg_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: adtNb_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: dKusI_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: dTONe_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: e8SpX_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: esDFn_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: gOBJ8_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: kVjGk_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: lLS11_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: lZVCJ_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: n9zl3_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: nI5Oo_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: o20e1_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: oFe4p_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: pBY6a_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: r47lD_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: rPexd_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: tDfBz_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: whILQ_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: xgAn2_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: xvLmz_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: yeUze_Admin@JSMURNPT_report.wsr
  • A potential corporate email address has been identified in the URL: z1bmi_Admin@JSMURNPT_report.wsr
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98512fdc1d3b34e2196ca5b34e14f29c.exe
    "C:\Users\Admin\AppData\Local\Temp\98512fdc1d3b34e2196ca5b34e14f29c.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "98512fdc1d3b34e2196ca5b34e14f29c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\98512fdc1d3b34e2196ca5b34e14f29c.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2952
        • C:\Windows\system32\timeout.exe
          timeout /t 3
          3⤵
          • Delays execution with timeout.exe
          PID:2600
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "98512fdc1d3b34e2196ca5b34e14f29c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe" /rl HIGHEST /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2712
        • C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe
          "C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
            4⤵
            • System Network Configuration Discovery: Wi-Fi Discovery
            • Suspicious use of WriteProcessMemory
            PID:2812
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:1532
              • C:\Windows\system32\netsh.exe
                netsh wlan show profiles
                5⤵
                • Event Triggered Execution: Netsh Helper DLL
                • System Network Configuration Discovery: Wi-Fi Discovery
                PID:1772
              • C:\Windows\system32\findstr.exe
                findstr /R /C:"[ ]:[ ]"
                5⤵
                  PID:952
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1608
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  5⤵
                    PID:1524
                  • C:\Windows\system32\netsh.exe
                    netsh wlan show networks mode=bssid
                    5⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:2188
                  • C:\Windows\system32\findstr.exe
                    findstr "SSID BSSID Signal"
                    5⤵
                      PID:328
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {6E038E5E-4B8F-45E5-9112-580CD052E09C} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1412
              • C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe
                C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe
                2⤵
                • Executes dropped EXE
                • Accesses Microsoft Outlook profiles
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • outlook_office_path
                • outlook_win_path
                PID:2992
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                  3⤵
                  • System Network Configuration Discovery: Wi-Fi Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2484
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    4⤵
                      PID:2264
                    • C:\Windows\system32\netsh.exe
                      netsh wlan show profiles
                      4⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Network Configuration Discovery: Wi-Fi Discovery
                      PID:1728
                    • C:\Windows\system32\findstr.exe
                      findstr /R /C:"[ ]:[ ]"
                      4⤵
                        PID:1844
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1524
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        4⤵
                          PID:908
                        • C:\Windows\system32\netsh.exe
                          netsh wlan show networks mode=bssid
                          4⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:660
                        • C:\Windows\system32\findstr.exe
                          findstr "SSID BSSID Signal"
                          4⤵
                            PID:2216

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      a8c732ecab12d9233824ff39c37376b2

                      SHA1

                      d2627fa085aa24baa257ffd9771342bf4a1c8f6d

                      SHA256

                      4b34ef5671441c88311375625d06b7fe64a4ed364b3f5d7bd06f299a5739a5ab

                      SHA512

                      75d1712cc800bbd4a03438b279a7e3c1c92a3ab0546492208a493501dc730397be38a34835d49beedd1dda102ebdeafae6fa334fe175b5dab12433d582debaa3

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      0e7005e30711f99e57d8685bcd065588

                      SHA1

                      0f38338b43b79739ef9a9cd38fa494b661fd4a8d

                      SHA256

                      66b998e47d09473fe3bd05f136e4896a57813dbc42944778bf46bd05b2cb966b

                      SHA512

                      de5df28e668a507d200784992dd2220534bc6c5560c67cee84ea519c3a9d793ab3c1fd53d0595d4f75d842e9c893c972480ef1062b00ee9f53fd892a2ec3de21

                    • C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe

                      Filesize

                      4.8MB

                      MD5

                      98512fdc1d3b34e2196ca5b34e14f29c

                      SHA1

                      460f2bbed2bc7419c1664d7f8a9e284e5b9bea83

                      SHA256

                      1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

                      SHA512

                      ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0

                    • C:\Users\Admin\AppData\Local\Temp\CabCD9E.tmp

                      Filesize

                      70KB

                      MD5

                      49aebf8cbd62d92ac215b2923fb1b9f5

                      SHA1

                      1723be06719828dda65ad804298d0431f6aff976

                      SHA256

                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                      SHA512

                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                    • C:\Users\Admin\AppData\Local\Temp\TarCDC1.tmp

                      Filesize

                      181KB

                      MD5

                      4ea6026cf93ec6338144661bf1202cd1

                      SHA1

                      a1dec9044f750ad887935a01430bf49322fbdcb7

                      SHA256

                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                      SHA512

                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                    • C:\Users\Admin\AppData\Local\lwblm0rcyp\p.dat

                      Filesize

                      4B

                      MD5

                      03924fb32bcc6248036e209a716e3339

                      SHA1

                      efb632c4811ff6da19cc314f5367692afb782395

                      SHA256

                      0c8b0099fc8c50e603a46709494b930ba0b848baebc1db487389eb1995bbb0af

                      SHA512

                      3b9f21458c16c6dd145859b2701a0533a2c215b9add344743b5d70f08ca2f815fea2ddc8fc4985d6e1db5bc68e4ca46735adba845db0ed90e3d571e130195c5c

                    • memory/1960-0-0x000007FEF59F3000-0x000007FEF59F4000-memory.dmp

                      Filesize

                      4KB

                    • memory/1960-1-0x0000000000230000-0x0000000000264000-memory.dmp

                      Filesize

                      208KB

                    • memory/1960-2-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/1960-5-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2708-9-0x0000000000E90000-0x0000000000EC4000-memory.dmp

                      Filesize

                      208KB