Overview

overview

10

Static

static

1

test.rar

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.rar

  • Size

    32.3MB

  • Sample

    241218-ds1fzaskfq

  • MD5

    bcceba879a34e34021ec86985b256039

  • SHA1

    7948c9327d3f04da85a37c4d62ed2f8dfca56900

  • SHA256

    894569cf4554d6b78e4cadebef076ea4b8a51d58d7307244a5acabf3beafb697

  • SHA512

    845d10d3c002e198462a951e391b7cc00a790b0c7f339222b87e3df0418f7b8bae34688693b31c531f3f7138fd3620cd4ef37cc3a118d990f15116edf7e50b95

  • SSDEEP

    786432:Us6yVAZZQH0evs7z9kyVbOIuL0x4yI3mgz58pGoOAcHS:Uz+Y7z+yVi4qyItdgLH

Score
10/10
gurcudiscoverypersistencespywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendMessage?chat_id=2024893777

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      test.rar

    • Size

      32.3MB

    • MD5

      bcceba879a34e34021ec86985b256039

    • SHA1

      7948c9327d3f04da85a37c4d62ed2f8dfca56900

    • SHA256

      894569cf4554d6b78e4cadebef076ea4b8a51d58d7307244a5acabf3beafb697

    • SHA512

      845d10d3c002e198462a951e391b7cc00a790b0c7f339222b87e3df0418f7b8bae34688693b31c531f3f7138fd3620cd4ef37cc3a118d990f15116edf7e50b95

    • SSDEEP

      786432:Us6yVAZZQH0evs7z9kyVbOIuL0x4yI3mgz58pGoOAcHS:Uz+Y7z+yVi4qyItdgLH

    Score
    10/10
    gurcudiscoverypersistencespywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks