Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 12:01

General

  • Target

    C9495B3A992EA3E2EF2788C7BA7ED840.exe

  • Size

    163KB

  • MD5

    c9495b3a992ea3e2ef2788c7ba7ed840

  • SHA1

    3d2e2ff99cd28f81a906d8d928ad7d42ff5226be

  • SHA256

    3398ed7cffcc75371d831fda315805c714268c321c863f60c806ae73cfaae4cd

  • SHA512

    a11e2b0424d7342bbddc9dd0541902128238281dd9aa620b81213d937a997f9da1c1d3954a05bd57383eb27cd3270d2a29b40a16893237c435fcfdb6344a1746

  • SSDEEP

    3072:amqroacBJ41WGh6ta9Y9bvxWlI9fKp7KdD+QOi:amwoaCE9Y9bvCQfKkO

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568449403

http://209.38.221.184:8080

http://46.235.26.83:8080

http://147.28.185.29:80

http://206.166.251.4:8080

http://51.159.4.50:8080

http://167.235.70.96:8080

http://194.164.198.113:8080

http://132.145.17.167:9090

https://5.196.181.135:443

http://116.202.101.219:8080

https://185.217.98.121:443

http://185.217.98.121:8080

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

http://65.49.205.24:8080

https://154.9.207.142:443

http://67.230.176.97:8080

http://8.222.143.111:8080

Signatures

  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

  • A potential corporate email address has been identified in the URL: 7Dfho_Admin@NNYJZAHP_report.wsr
  • A potential corporate email address has been identified in the URL: G0t0X_Admin@NNYJZAHP_report.wsr
  • A potential corporate email address has been identified in the URL: VHI1G_Admin@NNYJZAHP_report.wsr
  • A potential corporate email address has been identified in the URL: i93nU_Admin@NNYJZAHP_report.wsr
  • A potential corporate email address has been identified in the URL: wCPfr_Admin@NNYJZAHP_report.wsr
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\C9495B3A992EA3E2EF2788C7BA7ED840.exe
    "C:\Users\Admin\AppData\Local\Temp\C9495B3A992EA3E2EF2788C7BA7ED840.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1488
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      2⤵
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2548
        • C:\Windows\system32\netsh.exe
          netsh wlan show profiles
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:2616
        • C:\Windows\system32\findstr.exe
          findstr /R /C:"[ ]:[ ]"
          3⤵
            PID:2664
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\system32\chcp.com
            chcp 65001
            3⤵
              PID:2300
            • C:\Windows\system32\netsh.exe
              netsh wlan show networks mode=bssid
              3⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:1268
            • C:\Windows\system32\findstr.exe
              findstr "SSID BSSID Signal"
              3⤵
                PID:2724

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1488-0-0x000007FEF50B3000-0x000007FEF50B4000-memory.dmp

            Filesize

            4KB

          • memory/1488-1-0x0000000000B80000-0x0000000000BB0000-memory.dmp

            Filesize

            192KB

          • memory/1488-2-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

            Filesize

            9.9MB

          • memory/1488-3-0x000007FEF50B3000-0x000007FEF50B4000-memory.dmp

            Filesize

            4KB

          • memory/1488-4-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

            Filesize

            9.9MB