Overview

overview

10

Static

static

3

55f67b598a...c7.exe

windows7-x64

7

55f67b598a...c7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    55f67b598ae5d8956ea16deefdc771c7.exe

  • Size

    5.6MB

  • Sample

    241208-j4exassqdm

  • MD5

    55f67b598ae5d8956ea16deefdc771c7

  • SHA1

    2007aed44e368258d70bb124ad12e08a0e8ee1ae

  • SHA256

    9dc28d9009e1d6a240030460e6c4e27e2014842cd3e7ab0349d31dd13b5fdfb8

  • SHA512

    ad07651cab030fcd72169e6f64bf3a4dc3871c5f66f66607d9b056f4bdb9fe3916f0672833b8a289f5a7f6d642828f24e31e6520b5a7294a251661a5ff542b93

  • SSDEEP

    98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:adOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score
10/10
gurcudiscoveryspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8081835502:AAFtGgtMdAzFeWYBpQcGx83fjDR_25zfjK0/sendDocument?chat_id=7538374929&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

Targets

    • Target

      55f67b598ae5d8956ea16deefdc771c7.exe

    • Size

      5.6MB

    • MD5

      55f67b598ae5d8956ea16deefdc771c7

    • SHA1

      2007aed44e368258d70bb124ad12e08a0e8ee1ae

    • SHA256

      9dc28d9009e1d6a240030460e6c4e27e2014842cd3e7ab0349d31dd13b5fdfb8

    • SHA512

      ad07651cab030fcd72169e6f64bf3a4dc3871c5f66f66607d9b056f4bdb9fe3916f0672833b8a289f5a7f6d642828f24e31e6520b5a7294a251661a5ff542b93

    • SSDEEP

      98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:adOuK6mn9NzgMoYkSIvUcwti7TQlvciE

    Score
    10/10
    discoveryspywarestealergurcu

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks