Overview

overview

10

Static

static

10

661b2c9879...76.exe

windows7-x64

10

661b2c9879...76.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7a193e404a6285a41aba3019479d1749.bin

  • Size

    1.6MB

  • Sample

    250113-bth7zaynex

  • MD5

    993aa525f8c05de0745c37c147c032b3

  • SHA1

    a306aac942be0a75fb86cce6e777afcb40b2faab

  • SHA256

    5b978f244a0939f589b0c90976d6002347a3cc5943bf9389530fb442021137d6

  • SHA512

    ebeec41e4b58b70a567dc4d051e162eebed08586b0fa79c91249f581a1691caf51bb267e2592b79e26662a0637b6a35327a5531b5196da9adaf53adac3467f4c

  • SSDEEP

    49152:ix45521edULppemsrcaIROgIN/2AF77/kKb5:z5g1jtpnsrczOZZFHcKt

Score
10/10
dcratgurcudiscoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7170051875:AAE6pL_pl17E85H-TlJS2rKEh_uqVfRc8Gk/sendPhoto?chat_id=5922069347&caption=%E2%9D%95%20Pipavsya%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20291322594f2d562de42c69fe01eb01ffed286b20%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20GYHASOLS%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20181.215.176.83%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CRecovery%5CWindowsRE%5CRuntimeBroker.ex

Targets

    • Target

      661b2c9879d7ae68512f820689f2198fdc2d71288ed0a6e747a0ae3f4a27f176.exe

    • Size

      2.1MB

    • MD5

      7a193e404a6285a41aba3019479d1749

    • SHA1

      e977d421b247ace0c630d118f05938460664c3b8

    • SHA256

      661b2c9879d7ae68512f820689f2198fdc2d71288ed0a6e747a0ae3f4a27f176

    • SHA512

      a93f289943e29c2a34dde3c7e12ce22641afa868b11c541120b48610f22447fe8fd1b8e64436886ac73facaefc3c82dd658129e49ab65917bfd27fd10278cd1c

    • SSDEEP

      49152:abA30qELx3+NdmphJ3TWOodBNw8vNRf1Im/aN0mX3xfz:abdZ+NdmphJ3TWOsfNvNN2mybJ

    Score
    10/10
    dcratdiscoveryinfostealerratspywarestealergurcu

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks