Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

079172ddcc...3a.exe

windows7-x64

10

079172ddcc...3a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe

  • Size

    3.2MB

  • Sample

    250114-chzw1stlex

  • MD5

    4fabffd3dfad2d1e11ae2317b40b6e4a

  • SHA1

    df2ce294dc75060632bfb45add20e69ccc9396c1

  • SHA256

    079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a

  • SHA512

    bc6ab0e0286913472d6ca8cd19e95b4066d433fbb6247ed377e6ade995a74c201902c32463361e9d9746277fe8898d95b8a08114eedc027f062b38d4ea9550ed

  • SSDEEP

    49152:ubA3jIe1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQb:ubQNuAD3vyQ9bLG7yglVv4vHUy

Score
10/10
dcratgurcudiscoveryexecutioninfostealerratstealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7409084272:AAGfvawizs5psSM16en9CLFzI0ZQnCNB3SA/sendPhoto?chat_id=-4104647572&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%2033a977c31c7c952c342243ca6f0b581143c254bf%0A%E2%80%A2%20Comment%3A%20Site%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20YLFOGIOE%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20181.215.176.83%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%5CCommon%20Files%5CDESIGNER%5CbackgroundTaskHost.ex

Targets

    • Target

      079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe

    • Size

      3.2MB

    • MD5

      4fabffd3dfad2d1e11ae2317b40b6e4a

    • SHA1

      df2ce294dc75060632bfb45add20e69ccc9396c1

    • SHA256

      079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a

    • SHA512

      bc6ab0e0286913472d6ca8cd19e95b4066d433fbb6247ed377e6ade995a74c201902c32463361e9d9746277fe8898d95b8a08114eedc027f062b38d4ea9550ed

    • SSDEEP

      49152:ubA3jIe1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQb:ubQNuAD3vyQ9bLG7yglVv4vHUy

    Score
    10/10
    dcratdiscoveryexecutioninfostealerratgurcustealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks