General

  • Target

    e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de

  • Size

    201KB

  • Sample

    241027-m2rd4avmaz

  • MD5

    c595d96742a883a534ed1ca1f0d279d1

  • SHA1

    c465daa9e5bd998ef39c59f80f82f79cc75ce659

  • SHA256

    e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de

  • SHA512

    142506545388000aad69fbd9dabd62cb80b75fceb83cb8e31747a1c2de5495327fff2d4a6badabc691fb68df2361aa9f0a5adf969cf3f688b1f89959ca04538b

  • SSDEEP

    6144:+pQEXBxlv/9mIRzcZcD50SQBpDb8FJA7xqSWbLsE4D:+XBrv/AIRA6D5nQB5b8FJA7xGfsVD

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7761583635:AAGKfAalgYsBotuxvw8mb6qVnPPY4_337uo/sendMessage?chat_id=972119615

Targets

    • Target

      e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de

    • Size

      201KB

    • MD5

      c595d96742a883a534ed1ca1f0d279d1

    • SHA1

      c465daa9e5bd998ef39c59f80f82f79cc75ce659

    • SHA256

      e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de

    • SHA512

      142506545388000aad69fbd9dabd62cb80b75fceb83cb8e31747a1c2de5495327fff2d4a6badabc691fb68df2361aa9f0a5adf969cf3f688b1f89959ca04538b

    • SSDEEP

      6144:+pQEXBxlv/9mIRzcZcD50SQBpDb8FJA7xqSWbLsE4D:+XBrv/AIRA6D5nQB5b8FJA7xGfsVD

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks