General

  • Target

    b-crypted.exe

  • Size

    8.4MB

  • Sample

    241207-w4qp1ssrbr

  • MD5

    b45f3a137a961c8498ee21a246e983ec

  • SHA1

    f7a2dc2bac844aad018498f224adf51f285c1f1b

  • SHA256

    17cc88b4f9976d16cc5c807e91b034fecc721f9988cc52e2056a01e99aabc900

  • SHA512

    ee339e5f4853c425d838493aa9fdac55273601482b804be183367118832d4677375daa46e08755d1f472725cb9d35612e570095f1afffe3db1d336fb139d20bc

  • SSDEEP

    196608:HWIWSNScyO62XEXOV7QUY1MlROz8Uk2Ew2GdKxvY7n7wls8bg:NWSBybi7qelRc8UFAGwxAGs80

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6031927554:AAEXTw-Bhx5o5i_JojmzmJzXPmNMBfive_Y/sendDocument?chat_id=918093463&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

Targets

    • Target

      b-crypted.exe

    • Size

      8.4MB

    • MD5

      b45f3a137a961c8498ee21a246e983ec

    • SHA1

      f7a2dc2bac844aad018498f224adf51f285c1f1b

    • SHA256

      17cc88b4f9976d16cc5c807e91b034fecc721f9988cc52e2056a01e99aabc900

    • SHA512

      ee339e5f4853c425d838493aa9fdac55273601482b804be183367118832d4677375daa46e08755d1f472725cb9d35612e570095f1afffe3db1d336fb139d20bc

    • SSDEEP

      196608:HWIWSNScyO62XEXOV7QUY1MlROz8Uk2Ew2GdKxvY7n7wls8bg:NWSBybi7qelRc8UFAGwxAGs80

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks