Overview

overview

10

Static

static

3

b-crypted.exe

windows7-x64

7

b-crypted.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b-crypted.exe

  • Size

    8.4MB

  • Sample

    241207-xafhmatjhl

  • MD5

    b45f3a137a961c8498ee21a246e983ec

  • SHA1

    f7a2dc2bac844aad018498f224adf51f285c1f1b

  • SHA256

    17cc88b4f9976d16cc5c807e91b034fecc721f9988cc52e2056a01e99aabc900

  • SHA512

    ee339e5f4853c425d838493aa9fdac55273601482b804be183367118832d4677375daa46e08755d1f472725cb9d35612e570095f1afffe3db1d336fb139d20bc

  • SSDEEP

    196608:HWIWSNScyO62XEXOV7QUY1MlROz8Uk2Ew2GdKxvY7n7wls8bg:NWSBybi7qelRc8UFAGwxAGs80

Score
10/10
gurcudiscoveryspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6031927554:AAEXTw-Bhx5o5i_JojmzmJzXPmNMBfive_Y/sendDocument?chat_id=918093463&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

Targets

    • Target

      b-crypted.exe

    • Size

      8.4MB

    • MD5

      b45f3a137a961c8498ee21a246e983ec

    • SHA1

      f7a2dc2bac844aad018498f224adf51f285c1f1b

    • SHA256

      17cc88b4f9976d16cc5c807e91b034fecc721f9988cc52e2056a01e99aabc900

    • SHA512

      ee339e5f4853c425d838493aa9fdac55273601482b804be183367118832d4677375daa46e08755d1f472725cb9d35612e570095f1afffe3db1d336fb139d20bc

    • SSDEEP

      196608:HWIWSNScyO62XEXOV7QUY1MlROz8Uk2Ew2GdKxvY7n7wls8bg:NWSBybi7qelRc8UFAGwxAGs80

    Score
    10/10
    discoverygurcuspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks