Overview

overview

10

Static

static

10

8d419b81e2...ee.exe

windows7-x64

10

8d419b81e2...ee.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8d419b81e2be18d24a334d36e878d4ed7342e1907acc3e71c573807e2a0517ee

  • Size

    2.1MB

  • Sample

    250103-xss7fa1nfk

  • MD5

    fcf602e5d062a30e314eecd00cbb70e0

  • SHA1

    752513f1b80bc46fbcc5150719a4e11369547124

  • SHA256

    8d419b81e2be18d24a334d36e878d4ed7342e1907acc3e71c573807e2a0517ee

  • SHA512

    cbdfd157a93f98a06b63528283017e8b970a0d9ff4e7cba6c0805c4b6d10c6be5f1d215cb5a69b2af412861c81f135d04a96143969344022cd5f14f77fec5574

  • SSDEEP

    49152:abA30qNdaq2cO8ZdaNDb5pQb1w4EA19WbPFz54F6JxU5:abdqBsodoDbgb1w4zgdix

Score
10/10
dcratgurcudiscoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7170051875:AAE6pL_pl17E85H-TlJS2rKEh_uqVfRc8Gk/sendPhoto?chat_id=5922069347&caption=%E2%9D%95%20Pipavsya%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20291322594f2d562de42c69fe01eb01ffed286b20%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20GYHASOLS%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20181.215.176.83%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CUsers%5CAll%20Users%5CMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38%5Cupdates%5Cspoolsv.ex

Targets

    • Target

      8d419b81e2be18d24a334d36e878d4ed7342e1907acc3e71c573807e2a0517ee

    • Size

      2.1MB

    • MD5

      fcf602e5d062a30e314eecd00cbb70e0

    • SHA1

      752513f1b80bc46fbcc5150719a4e11369547124

    • SHA256

      8d419b81e2be18d24a334d36e878d4ed7342e1907acc3e71c573807e2a0517ee

    • SHA512

      cbdfd157a93f98a06b63528283017e8b970a0d9ff4e7cba6c0805c4b6d10c6be5f1d215cb5a69b2af412861c81f135d04a96143969344022cd5f14f77fec5574

    • SSDEEP

      49152:abA30qNdaq2cO8ZdaNDb5pQb1w4EA19WbPFz54F6JxU5:abdqBsodoDbgb1w4zgdix

    Score
    10/10
    dcratdiscoveryinfostealerratspywarestealergurcu

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks