Overview

overview

10

Static

static

10

C9495B3A99...40.exe

windows7-x64

10

C9495B3A99...40.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C9495B3A992EA3E2EF2788C7BA7ED840.exe

  • Size

    163KB

  • Sample

    241208-n9c24ssra1

  • MD5

    c9495b3a992ea3e2ef2788c7ba7ed840

  • SHA1

    3d2e2ff99cd28f81a906d8d928ad7d42ff5226be

  • SHA256

    3398ed7cffcc75371d831fda315805c714268c321c863f60c806ae73cfaae4cd

  • SHA512

    a11e2b0424d7342bbddc9dd0541902128238281dd9aa620b81213d937a997f9da1c1d3954a05bd57383eb27cd3270d2a29b40a16893237c435fcfdb6344a1746

  • SSDEEP

    3072:amqroacBJ41WGh6ta9Y9bvxWlI9fKp7KdD+QOi:amwoaCE9Y9bvCQfKkO

Score
10/10
gurcucollectiondiscoverypersistencephishingprivilege_escalationspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568449403

http://209.38.221.184:8080

http://46.235.26.83:8080

http://147.28.185.29:80

http://206.166.251.4:8080

http://51.159.4.50:8080

http://167.235.70.96:8080

http://194.164.198.113:8080

http://132.145.17.167:9090

https://5.196.181.135:443

http://116.202.101.219:8080

https://185.217.98.121:443

http://185.217.98.121:8080

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

http://65.49.205.24:8080

https://154.9.207.142:443

http://67.230.176.97:8080

http://8.222.143.111:8080

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568449403

Targets

    • Target

      C9495B3A992EA3E2EF2788C7BA7ED840.exe

    • Size

      163KB

    • MD5

      c9495b3a992ea3e2ef2788c7ba7ed840

    • SHA1

      3d2e2ff99cd28f81a906d8d928ad7d42ff5226be

    • SHA256

      3398ed7cffcc75371d831fda315805c714268c321c863f60c806ae73cfaae4cd

    • SHA512

      a11e2b0424d7342bbddc9dd0541902128238281dd9aa620b81213d937a997f9da1c1d3954a05bd57383eb27cd3270d2a29b40a16893237c435fcfdb6344a1746

    • SSDEEP

      3072:amqroacBJ41WGh6ta9Y9bvxWlI9fKp7KdD+QOi:amwoaCE9Y9bvCQfKkO

    Score
    10/10
    gurcucollectiondiscoverypersistencephishingprivilege_escalationspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • A potential corporate email address has been identified in the URL: ARbpA_Admin@NNYJZAHP_report.wsr

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks