General
-
Target
9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
-
Size
5.6MB
-
Sample
241215-ehy1tsvpal
-
MD5
55f8e0ef95c316591d64a7bf1bf6ce7b
-
SHA1
53a4f3375799babd0fcc08190a925b467e7fede7
-
SHA256
9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9
-
SHA512
f9bec2a6ee0ca7050c735d62b6be35d732269085a4f92c5720495ec6171ed40d887276f69da978487f08c48690e66f360fffc66a9d8e7cbb4fed04ebd0666ee0
-
SSDEEP
98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc/:adOuK6mn9NzgMoYkSIvUcwti7TQlvci6
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7822020748:AAGrioLZvBM_jgQaep0KKTha1_5Kzmwl62s/sendDocument?chat_id=7538374929&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan
Targets
-
-
Target
9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
-
Size
5.6MB
-
MD5
55f8e0ef95c316591d64a7bf1bf6ce7b
-
SHA1
53a4f3375799babd0fcc08190a925b467e7fede7
-
SHA256
9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9
-
SHA512
f9bec2a6ee0ca7050c735d62b6be35d732269085a4f92c5720495ec6171ed40d887276f69da978487f08c48690e66f360fffc66a9d8e7cbb4fed04ebd0666ee0
-
SSDEEP
98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc/:adOuK6mn9NzgMoYkSIvUcwti7TQlvci6
Score10/10-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-