gurcu | 4db6dc9037c5d39bead0329595ff1d7b570a030f77b5e5d7d09e904b78ba4115

General

Target

Apollo_Launcher.zip
Size

1.9MB
Sample

241206-w7y6kawrhn
MD5

cf73d6762749d11543a4e460cff5d397
SHA1

660b32ae6fb5d892cd876362d5532050843738c0
SHA256

4db6dc9037c5d39bead0329595ff1d7b570a030f77b5e5d7d09e904b78ba4115
SHA512

f0cb91d5ff524d4d68e1ed83cb8e7445170a8db0979d202eca28f2e50a9a82478b1f1f433e0605865f4ec74d884e9470b98ef4df339fe788924a809e630516a8
SSDEEP

49152:3KR32o1dQ8aBzCUaiGeDffKm1Ne0bWXtcgvwgdvBeQTUDKgi0lbh:Y3vaLGet1Ne0gX4WvBXUDni0ph

Score

10^/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4549607810&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

Targets

- Target
  
  Apollo_Launcher/Apollo.jar
- Size
  
  2.0MB
- MD5
  
  15eb6fe01e6f4de3898fb3faae895d99
- SHA1
  
  938d9712ba8b467f152b8ccbeb6c8808b923fc46
- SHA256
  
  8bc91eaf5b775214114e924cae0ab9d121407f9e2f596dbe23392f50e1cdd504
- SHA512
  
  7a0adf4c59ec37249ae6890abc15c7191a6acec5271321c65ab2eb3d1b98508a744e7e5efd041bbaafee76bc06f55e9398a3c9f87d5c3c0d1d06e6d98ebe2092
- SSDEEP
  
  49152:clTene/sJMqUf0YS4N8+7euBwlLy6t2TSliSjek/:cline/pq1YF6d+ZTnSB/
Score

10^/10

gurcu discovery spyware stealer
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Apollo_Launcher/start.bat
- Size
  
  839B
- MD5
  
  977bfc518ac71c9a003d5429407c589d
- SHA1
  
  48c382feb7e7aa33c48d4f2198a9c9a69f8782c0
- SHA256
  
  98663a87b891ceb87520dfd8f997c4e3d531007ed9d9cd2e5e55c120f664cc85
- SHA512
  
  05c0bc7ffab4b9026cf39dfa5d33a07ba3db90cdf858193d63b0aa63c3efd869c117b5086fb664b6cdaefd8f16cfe98e9972ab743354a120594bdc50f2bf3db1
Score

10^/10

execution gurcu discovery spyware stealer
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral3 behavioral4