Extracted

• • Target

    Apollo_Launcher.zip

  • Size

    1.9MB

  • MD5

    fc08798203969295d9225e2f839db477

  • SHA1

    405ccb1dd21f38d76536e0d2d8da47997816d816

  • SHA256

    1c3b03688284094e07ebe4a6c8df9887163181cdb978eb0146070e59f96c29e7

  • SHA512

    d78b1fc0cc0306ce15c28088e51a9018602f1fa482152b4386c9769e7bd751d845f2d246332c0b6a0335a5805e2d6388b8f7ec2dae716eb98901e75a180668ad

  • SSDEEP

    49152:ZZwS4Jj6b359B6BwDqu9OHLE0QTt3s0rjS0x8UF:USO8359B6nu9OQnS0z

  Score

  10^/10

  gurcudiscoveryexecutionspywarestealer

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery
  behavioral1

• • Target

    Apollo_Launcher/Apollo.jar

  • Size

    2.0MB

  • MD5

    7b2c7c4f635e965f46e7d3f2edbcbdb9

  • SHA1

    4db9556055ddd3e20b737e29e636c6882fbabeb0

  • SHA256

    4e15a8f8a92b9623dfba148b77993af962b67a85fb1fe3d676e118b4e3d0735a

  • SHA512

    56872b941689d5819a9881c3f06b049e9154c921ebb8d28453abd635aa03e7e421c1ebdcd9727b96f74b42b1feb9e7465f629d6ff9b96f483af0b79199f26c0f

  • SSDEEP

    49152:IzxmbZ4vAKVAf38vAKO6/4U01t3ByIRXwaWnKg1Ztw0c+NfQJtAXw8:G+4IKke01VBbwx1ZSYmAXw8

  Score

  10^/10

  gurcudiscoveryspywarestealer

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral2

• • Target

    Apollo_Launcher/start.bat

  • Size

    854B

  • MD5

    0bae63fa7bdef4a22a540c30d19d0419

  • SHA1

    c8948de80bcaf1b661a1f32aea7ba95e2d4ad520

  • SHA256

    179a4e724129787b00bd2aff3e08b0637c9c0fa81fb8bb86cee43020a332ea69

  • SHA512

    79854985b8deff323372c4f5225eaadc49c390c23e3fd4ac4bd838d9636fb281b9c6db0b3d79067c44a43cf29e92999b810a3ca5805891ac527a56df007db63a

  Score

  10^/10

  gurcudiscoveryexecutionspywarestealer

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral3