Extracted

• • Target

    data.dat.exe

  • Size

    5.7MB

  • MD5

    fb25fdd6ff14150c12aadd9ee2d1a132

  • SHA1

    3cfb3536cd95f0b45e3540241b29aaac8195969b

  • SHA256

    30aa5d63d57d96e48788efcf488f3fb7ba05354313a383f15d5c5caca632c87c

  • SHA512

    ffa52a7225aab5c5518d2ec872b20bb81a964b41205308cb72356e8f443b333a89239920989ffe032f5b5009d34ea04c4ffa8944e648633321c9a6685a3d9494

  • SSDEEP

    98304:m2+l27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucz:moOuK6mn9NzgMoYkSIvUcwti7TQlvciE

  Score

  10^/10

  discoverygurcucredential_accesspersistencespywarestealer

  • Gurcu family

    gurcu

  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist

    discovery
  behavioral1behavioral2