Overview

overview

10

Static

static

1

e5cae5d179...e.xlsm

windows7-x64

10

e5cae5d179...e.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de

  • Size

    201KB

  • Sample

    241027-m5sfkavkan

  • MD5

    c595d96742a883a534ed1ca1f0d279d1

  • SHA1

    c465daa9e5bd998ef39c59f80f82f79cc75ce659

  • SHA256

    e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de

  • SHA512

    142506545388000aad69fbd9dabd62cb80b75fceb83cb8e31747a1c2de5495327fff2d4a6badabc691fb68df2361aa9f0a5adf969cf3f688b1f89959ca04538b

  • SSDEEP

    6144:+pQEXBxlv/9mIRzcZcD50SQBpDb8FJA7xqSWbLsE4D:+XBrv/AIRA6D5nQB5b8FJA7xGfsVD

Score
10/10
gurcucollectiondefense_evasiondiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7761583635:AAGKfAalgYsBotuxvw8mb6qVnPPY4_337uo/sendMessage?chat_id=972119615

Targets

    • Target

      e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de

    • Size

      201KB

    • MD5

      c595d96742a883a534ed1ca1f0d279d1

    • SHA1

      c465daa9e5bd998ef39c59f80f82f79cc75ce659

    • SHA256

      e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de

    • SHA512

      142506545388000aad69fbd9dabd62cb80b75fceb83cb8e31747a1c2de5495327fff2d4a6badabc691fb68df2361aa9f0a5adf969cf3f688b1f89959ca04538b

    • SSDEEP

      6144:+pQEXBxlv/9mIRzcZcD50SQBpDb8FJA7xqSWbLsE4D:+XBrv/AIRA6D5nQB5b8FJA7xGfsVD

    Score
    10/10
    collectiondefense_evasiondiscoverypersistenceprivilege_escalationspywarestealergurcu

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

1
T1140

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

1
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks