gurcu | c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78 | Triage

Sharing

General

Target

file
Size

308KB
Sample

241030-hzdyrszmcp
MD5

d5b8ac0d80c99e7dda0d9df17c159f3d
SHA1

ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a
SHA256

c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78
SHA512

2637cc05aa402832dadbf48431f1add417b69a8351de2a5edae80283da7a6924166ea56bc85865dfa993d88f467d8f540528627e5cbe64cc67ec8d5a3d6655bc
SSDEEP

6144:+MW2MDA5DDzwLLoMC9YsbxE0UyRtXpJldoopDIrhi7m:EREZELLoMeYkxEgJzTp

Score

10^/10

gurcu collection discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage?chat_id=7734728653

Targets

- Target
  
  file
- Size
  
  308KB
- MD5
  
  d5b8ac0d80c99e7dda0d9df17c159f3d
- SHA1
  
  ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a
- SHA256
  
  c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78
- SHA512
  
  2637cc05aa402832dadbf48431f1add417b69a8351de2a5edae80283da7a6924166ea56bc85865dfa993d88f467d8f540528627e5cbe64cc67ec8d5a3d6655bc
- SSDEEP
  
  6144:+MW2MDA5DDzwLLoMC9YsbxE0UyRtXpJldoopDIrhi7m:EREZELLoMeYkxEgJzTp
Score

10^/10

collection discovery persistence privilege_escalation spyware stealer gurcu
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

collectiondiscoverypersistenceprivilege_escalationspywarestealer

behavioral2

gurcucollectiondiscoverypersistenceprivilege_escalationspywarestealer