General

  • Target

    main2.exe

  • Size

    16.2MB

  • Sample

    241122-vtxvxazrdm

  • MD5

    ae9d50dc273f154d4fdbe423718650cf

  • SHA1

    7b784cbbd73bfe05f9f13c0131fdde36a6dbd8a1

  • SHA256

    9abbee10fe330e17e3a13ef414e36aca1f86eac6cbe7a400abd7f321049b254a

  • SHA512

    b6df313e53c66dd780a492578d2b819277f380da97e2a4a399817bcd8f5b15eda8551de343baddd9051452428dc2ff106b346e31485a90786074f83dbb7298c5

  • SSDEEP

    393216:knNT13lgp6awg3GPml5NEJrhvq0R1OD17u2+DWXtA1U:q5Blgd2Nhvq0zOhV

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8041920254:AAErt2Qj5PFwq2rCNeb5RylAVE1eFa18SL0/sendMessage?chat_id=-4541669277

https://api.telegram.org/bot8041920254:AAErt2Qj5PFwq2rCNeb5RylAVE1eFa18SL0/getUpdates?offset=-

https://api.telegram.org/bot8041920254:AAErt2Qj5PFwq2rCNeb5RylAVE1eFa18SL0/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      main2.exe

    • Size

      16.2MB

    • MD5

      ae9d50dc273f154d4fdbe423718650cf

    • SHA1

      7b784cbbd73bfe05f9f13c0131fdde36a6dbd8a1

    • SHA256

      9abbee10fe330e17e3a13ef414e36aca1f86eac6cbe7a400abd7f321049b254a

    • SHA512

      b6df313e53c66dd780a492578d2b819277f380da97e2a4a399817bcd8f5b15eda8551de343baddd9051452428dc2ff106b346e31485a90786074f83dbb7298c5

    • SSDEEP

      393216:knNT13lgp6awg3GPml5NEJrhvq0R1OD17u2+DWXtA1U:q5Blgd2Nhvq0zOhV

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks