General

  • Target

    2a06b6535a0057b961f41e9b0790ffbc6f540566f2c21ae66cee4b61f5a360eb.exe

  • Size

    5.6MB

  • Sample

    241214-dka64svmbq

  • MD5

    177a970a8a6c5e5e6b5c04c40bf3fe1c

  • SHA1

    64709ca99a03f416a854817427d4543043e204ad

  • SHA256

    2a06b6535a0057b961f41e9b0790ffbc6f540566f2c21ae66cee4b61f5a360eb

  • SHA512

    4c1c3716ec518102d16e11fbb84f0446d75cfc8db97a5635e4f71e407431b2a21bdb35bfa38e5414f28d044b176cfce044e5da0984c519713c0e3b82657a2317

  • SSDEEP

    98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:adOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8137653339:AAG5i0WFhwI1I4U5IchQ2c9wOIxNBiamQsk/sendDocument?chat_id=6518356118&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

Targets

    • Target

      2a06b6535a0057b961f41e9b0790ffbc6f540566f2c21ae66cee4b61f5a360eb.exe

    • Size

      5.6MB

    • MD5

      177a970a8a6c5e5e6b5c04c40bf3fe1c

    • SHA1

      64709ca99a03f416a854817427d4543043e204ad

    • SHA256

      2a06b6535a0057b961f41e9b0790ffbc6f540566f2c21ae66cee4b61f5a360eb

    • SHA512

      4c1c3716ec518102d16e11fbb84f0446d75cfc8db97a5635e4f71e407431b2a21bdb35bfa38e5414f28d044b176cfce044e5da0984c519713c0e3b82657a2317

    • SSDEEP

      98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:adOuK6mn9NzgMoYkSIvUcwti7TQlvciE

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks