General

  • Target

    98512fdc1d3b34e2196ca5b34e14f29c.exe

  • Size

    4.8MB

  • Sample

    241005-hs3csa1hpr

  • MD5

    98512fdc1d3b34e2196ca5b34e14f29c

  • SHA1

    460f2bbed2bc7419c1664d7f8a9e284e5b9bea83

  • SHA256

    1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

  • SHA512

    ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0

  • SSDEEP

    3072:patWqvozZqlXS99bMRfCh+T5bOCYEu05ukO3JJ:pMWqcIXS99bMZ5sCYE7O3P

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4573656473

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendDocumen

Targets

    • Target

      98512fdc1d3b34e2196ca5b34e14f29c.exe

    • Size

      4.8MB

    • MD5

      98512fdc1d3b34e2196ca5b34e14f29c

    • SHA1

      460f2bbed2bc7419c1664d7f8a9e284e5b9bea83

    • SHA256

      1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399

    • SHA512

      ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0

    • SSDEEP

      3072:patWqvozZqlXS99bMRfCh+T5bOCYEu05ukO3JJ:pMWqcIXS99bMZ5sCYE7O3P

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks