Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • submitted
    05-10-2024 06:56

General

  • Target

    98512fdc1d3b34e2196ca5b34e14f29c.exe

  • Size

    4.8MB

  • MD5

    98512fdc1d3b34e2196ca5b34e14f29c

  • SHA1

    460f2bbed2bc7419c1664d7f8a9e284e5b9bea83

  • SHA256

    1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

  • SHA512

    ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0

  • SSDEEP

    3072:patWqvozZqlXS99bMRfCh+T5bOCYEu05ukO3JJ:pMWqcIXS99bMZ5sCYE7O3P

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4573656473

http://185.80.128.17:8080

http://206.166.251.4:8080

http://167.99.138.249:8080

http://46.4.73.118:9000

http://206.189.109.146:80

http://194.164.198.113:8080

http://45.82.65.63:80

https://5.196.181.135:443

http://95.216.147.179:80

http://185.217.98.121:8080

http://116.202.101.219:8080

http://185.217.98.121:80

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

https://44.228.161.50:443

https://154.9.207.142:443

http://66.42.56.128:80

http://8.219.110.16:9999

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4573656473

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendDocumen

Signatures

  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

  • A potential corporate email address has been identified in the URL: 0xnyz_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: 178TL_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: 1dtXb_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: 2bCvj_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: 3KOOb_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: 4QjqJ_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: 4ildL_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: 7O2l3_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: 7Tqq7_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: Ce1p9_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: LK1AP_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: Npnre_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: SdM0e_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: WSwEH_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: XLaAh_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: aMsks_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: ac5tZ_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: dEnQT_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: dYPuA_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: jFTCr_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: jwpwj_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: kZsNC_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: lkAxR_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: n1aZW_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: rl7iq_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: sZNdQ_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: tEVAb_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: v3OFL_Admin@ERHQJVYQ_report.wsr
  • A potential corporate email address has been identified in the URL: yHRlH_Admin@ERHQJVYQ_report.wsr
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98512fdc1d3b34e2196ca5b34e14f29c.exe
    "C:\Users\Admin\AppData\Local\Temp\98512fdc1d3b34e2196ca5b34e14f29c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5016
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "98512fdc1d3b34e2196ca5b34e14f29c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\98512fdc1d3b34e2196ca5b34e14f29c.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4040
        • C:\Windows\system32\timeout.exe
          timeout /t 3
          3⤵
          • Delays execution with timeout.exe
          PID:2364
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "98512fdc1d3b34e2196ca5b34e14f29c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe" /rl HIGHEST /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1108
        • C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe
          "C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:1308
          • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\tor-real.exe
            "C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\torrc.txt"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2200
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
            4⤵
            • System Network Configuration Discovery: Wi-Fi Discovery
            • Suspicious use of WriteProcessMemory
            PID:1228
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:1560
              • C:\Windows\system32\netsh.exe
                netsh wlan show profiles
                5⤵
                • Event Triggered Execution: Netsh Helper DLL
                • System Network Configuration Discovery: Wi-Fi Discovery
                PID:1728
              • C:\Windows\system32\findstr.exe
                findstr /R /C:"[ ]:[ ]"
                5⤵
                  PID:1236
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3512
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  5⤵
                    PID:3136
                  • C:\Windows\system32\netsh.exe
                    netsh wlan show networks mode=bssid
                    5⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:1584
                  • C:\Windows\system32\findstr.exe
                    findstr "SSID BSSID Signal"
                    5⤵
                      PID:3664
            • C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe
              C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1036
            • C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe
              C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2604

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\98512fdc1d3b34e2196ca5b34e14f29c.exe.log

              Filesize

              1KB

              MD5

              fc1be6f3f52d5c841af91f8fc3f790cb

              SHA1

              ac79b4229e0a0ce378ae22fc6104748c5f234511

              SHA256

              6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

              SHA512

              2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

            • C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe

              Filesize

              4.8MB

              MD5

              98512fdc1d3b34e2196ca5b34e14f29c

              SHA1

              460f2bbed2bc7419c1664d7f8a9e284e5b9bea83

              SHA256

              1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

              SHA512

              ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\p.dat

              Filesize

              4B

              MD5

              c6663e689b7d1495526d8c7403ccc67f

              SHA1

              7eba27381c7a688f80d1f97c8ccfaa7ded17ee57

              SHA256

              5410f1c8719e7b628b2d75d468c1e78d4fbdad9c51ebe5d09992cc3d68f10605

              SHA512

              94606d7a5861310c4c5441163848e4aad9d2d81527559e67a8f2a23f2081a612b9bb7c693121012f258c5b417f3f1b42fc9a5cd244d90bdd798dbea902480a6a

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\data\cached-microdesc-consensus.tmp

              Filesize

              2.8MB

              MD5

              b15b738c20b84e450133c57030b516fc

              SHA1

              0fc863cd397da0fc24194c6338f430574f27bae2

              SHA256

              c3f6dc1daaf66bfc938da3078aee6f8b8b199a511376bb7c58c75d8f88b32a07

              SHA512

              be0eee320b4ffee0b091c008b921922b745499e370a4627b75e3ec8bf75f4f72f67388841440cf1a1c80ca0883e5ce8dadb692ebf4565ddf787f7a7e741e1e48

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\data\cached-microdescs.new

              Filesize

              9.7MB

              MD5

              38d390f65f78db0443cb61771f13020f

              SHA1

              3332f7b719c06396967b3e58c0fdf108831fe8e8

              SHA256

              89b01ffe21491063ffeae579f2b0bf129f0134c80334142e0eb33e37d680fe48

              SHA512

              b22b9989a75d3b8884a5acbcfb9812bb8a9cd333783ac36565a7f04e2c76b97579208d1ca0acf36dda8da9c34b2be7c310382a486d892ad89a281d6f88dbfab2

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\host\hostname

              Filesize

              64B

              MD5

              8f98f6c34bc78ae52d0ad84f6745e1c8

              SHA1

              8feb0cbe07365d4a4c426f43b96c496cd2339434

              SHA256

              7deb21774365cb4c02613dbcff295ad75c60df17b2ca1845752a872272833473

              SHA512

              51b76aceee3a7c90a7f38d78326b419e5c195901c3b17f7eaa6156fe7c5c465451ed06f4abff84033d7f01fdfdebe3d4154fd1d05b7c7af7729712432304481d

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\libcrypto-1_1.dll

              Filesize

              3.5MB

              MD5

              6d48d76a4d1c9b0ff49680349c4d28ae

              SHA1

              1bb3666c16e11eff8f9c3213b20629f02d6a66cb

              SHA256

              3f08728c7a67e4998fbdc7a7cb556d8158efdcdaf0acf75b7789dccace55662d

              SHA512

              09a4fd7b37cf52f6a0c3bb0a7517e2d2439f4af8e03130aed3296d7448585ea5e3c0892e1e1202f658ef2d083ce13c436779e202c39620a70a17b026705c65c9

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\libevent-2-1-7.dll

              Filesize

              1.1MB

              MD5

              a3bf8e33948d94d490d4613441685eee

              SHA1

              75ed7f6e2855a497f45b15270c3ad4aed6ad02e2

              SHA256

              91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585

              SHA512

              c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\libgcc_s_sjlj-1.dll

              Filesize

              1.0MB

              MD5

              bd40ff3d0ce8d338a1fe4501cd8e9a09

              SHA1

              3aae8c33bf0ec9adf5fbf8a361445969de409b49

              SHA256

              ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c

              SHA512

              404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\libssl-1_1.dll

              Filesize

              1.1MB

              MD5

              945d225539becc01fbca32e9ff6464f0

              SHA1

              a614eb470defeab01317a73380f44db669100406

              SHA256

              c697434857a039bf27238c105be0487a0c6c611dd36cb1587c3c6b3bf582718a

              SHA512

              409f8f1e6d683a3cbe7954bce37013316dee086cdbd7ecda88acb5d94031cff6166a93b641875116327151823cce747bcf254c0185e0770e2b74b7c5e067bc4a

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\libssp-0.dll

              Filesize

              246KB

              MD5

              b77328da7cead5f4623748a70727860d

              SHA1

              13b33722c55cca14025b90060e3227db57bf5327

              SHA256

              46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7

              SHA512

              2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\libwinpthread-1.dll

              Filesize

              512KB

              MD5

              19d7cc4377f3c09d97c6da06fbabc7dc

              SHA1

              3a3ba8f397fb95ed5df22896b2c53a326662fcc9

              SHA256

              228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d

              SHA512

              23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\tor-real.exe

              Filesize

              4.0MB

              MD5

              07244a2c002ffdf1986b454429eace0b

              SHA1

              d7cd121caac2f5989aa68a052f638f82d4566328

              SHA256

              e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf

              SHA512

              4a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\torrc.txt

              Filesize

              226B

              MD5

              eaf4b0213f6badd60318e4fa8fad7c55

              SHA1

              3fa7f57e33ec58cb6693cd812384b541ac72a96d

              SHA256

              efbfd7606016ab8e44bdfdfe46daeb1aab14a719c51ec23d75e0158e2771b32a

              SHA512

              fddb3648b1ef8c09acbccb45c04a7bfe1d7eb423ef4d8abafaad31cacc5f5bc8ba8b934bbfa93112717274bf98ea990ae108598cdb0792d670988e69ed7293f9

            • C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\zlib1.dll

              Filesize

              121KB

              MD5

              6f98da9e33cd6f3dd60950413d3638ac

              SHA1

              e630bdf8cebc165aa81464ff20c1d55272d05675

              SHA256

              219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773

              SHA512

              2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

            • memory/2200-121-0x0000000074E40000-0x0000000074F26000-memory.dmp

              Filesize

              920KB

            • memory/2200-164-0x00000000003D0000-0x00000000007E4000-memory.dmp

              Filesize

              4.1MB

            • memory/2200-104-0x00000000003D0000-0x00000000007E4000-memory.dmp

              Filesize

              4.1MB

            • memory/2200-102-0x0000000075190000-0x000000007528B000-memory.dmp

              Filesize

              1004KB

            • memory/2200-116-0x0000000075190000-0x000000007528B000-memory.dmp

              Filesize

              1004KB

            • memory/2200-122-0x0000000074B40000-0x0000000074E36000-memory.dmp

              Filesize

              3.0MB

            • memory/2200-207-0x00000000003D0000-0x00000000007E4000-memory.dmp

              Filesize

              4.1MB

            • memory/2200-120-0x0000000074F30000-0x0000000074F56000-memory.dmp

              Filesize

              152KB

            • memory/2200-119-0x0000000074F60000-0x0000000074FE1000-memory.dmp

              Filesize

              516KB

            • memory/2200-118-0x0000000074FF0000-0x00000000750F4000-memory.dmp

              Filesize

              1.0MB

            • memory/2200-117-0x0000000075140000-0x0000000075184000-memory.dmp

              Filesize

              272KB

            • memory/2200-115-0x00000000003D0000-0x00000000007E4000-memory.dmp

              Filesize

              4.1MB

            • memory/2200-123-0x00000000003D0000-0x00000000007E4000-memory.dmp

              Filesize

              4.1MB

            • memory/2200-131-0x00000000003D0000-0x00000000007E4000-memory.dmp

              Filesize

              4.1MB

            • memory/2200-199-0x00000000003D0000-0x00000000007E4000-memory.dmp

              Filesize

              4.1MB

            • memory/2200-188-0x00000000003D0000-0x00000000007E4000-memory.dmp

              Filesize

              4.1MB

            • memory/2200-103-0x0000000074F30000-0x0000000074F56000-memory.dmp

              Filesize

              152KB

            • memory/2200-180-0x00000000003D0000-0x00000000007E4000-memory.dmp

              Filesize

              4.1MB

            • memory/5016-1-0x000001D4F3040000-0x000001D4F3074000-memory.dmp

              Filesize

              208KB

            • memory/5016-2-0x00007FF9B30D0000-0x00007FF9B3B91000-memory.dmp

              Filesize

              10.8MB

            • memory/5016-6-0x00007FF9B30D0000-0x00007FF9B3B91000-memory.dmp

              Filesize

              10.8MB

            • memory/5016-0-0x00007FF9B30D3000-0x00007FF9B30D5000-memory.dmp

              Filesize

              8KB