General
-
Target
main2.exe
-
Size
16.2MB
-
Sample
241122-vtxvxazrdm
-
MD5
ae9d50dc273f154d4fdbe423718650cf
-
SHA1
7b784cbbd73bfe05f9f13c0131fdde36a6dbd8a1
-
SHA256
9abbee10fe330e17e3a13ef414e36aca1f86eac6cbe7a400abd7f321049b254a
-
SHA512
b6df313e53c66dd780a492578d2b819277f380da97e2a4a399817bcd8f5b15eda8551de343baddd9051452428dc2ff106b346e31485a90786074f83dbb7298c5
-
SSDEEP
393216:knNT13lgp6awg3GPml5NEJrhvq0R1OD17u2+DWXtA1U:q5Blgd2Nhvq0zOhV
Static task
static1
Behavioral task
behavioral1
Sample
main2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
main2.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8041920254:AAErt2Qj5PFwq2rCNeb5RylAVE1eFa18SL0/sendMessage?chat_id=-4541669277
https://api.telegram.org/bot8041920254:AAErt2Qj5PFwq2rCNeb5RylAVE1eFa18SL0/getUpdates?offset=-
https://api.telegram.org/bot8041920254:AAErt2Qj5PFwq2rCNeb5RylAVE1eFa18SL0/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%B8Screenshot%20take
Targets
-
-
Target
main2.exe
-
Size
16.2MB
-
MD5
ae9d50dc273f154d4fdbe423718650cf
-
SHA1
7b784cbbd73bfe05f9f13c0131fdde36a6dbd8a1
-
SHA256
9abbee10fe330e17e3a13ef414e36aca1f86eac6cbe7a400abd7f321049b254a
-
SHA512
b6df313e53c66dd780a492578d2b819277f380da97e2a4a399817bcd8f5b15eda8551de343baddd9051452428dc2ff106b346e31485a90786074f83dbb7298c5
-
SSDEEP
393216:knNT13lgp6awg3GPml5NEJrhvq0R1OD17u2+DWXtA1U:q5Blgd2Nhvq0zOhV
Score10/10-
Gurcu family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-