Overview

overview

10

Static

static

3

Output.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Output.exe

  • Size

    22.1MB

  • Sample

    250121-yj3vysyket

  • MD5

    cd348179244167083c704754e338418b

  • SHA1

    14b336e1a1b6d044d298e3a63b0617b2cb6ade8a

  • SHA256

    38a988e6fe88aa893cb28797a54153e7f2de8688b4e908edcaa6ffebcd72b9e9

  • SHA512

    b58995e445056e8a9d76395467160d56608b67ab0a04641f6b5f73546793880facc4479ec1662648cfe8d394288ffda5270445452e7742872958f76a5d1c9a43

  • SSDEEP

    393216:yx/1Iko48uNHJohfQ4jsl1efcbzP3DCDVimIX0LAKt0rCAc:yx/138qWn42fUDC/iLWAc

Score
10/10
gurcudiscoverypersistencepyinstallerspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8173512948:AAGBtWAKwGvAy49MjeMJTGmkJFfofJmU7DI/sendDocument?chat_id=-4752223198&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot8173512948:AAGBtWAKwGvAy49MjeMJTGmkJFfofJmU7DI/sendMessage?chat_id=-4752223198

https://api.telegram.org/bot8173512948:AAGBtWAKwGvAy49MjeMJTGmkJFfofJmU7DI/getUpdates?offset=-

https://api.telegram.org/bot8173512948:AAGBtWAKwGvAy49MjeMJTGmkJFfofJmU7DI/sendDocument?chat_id=-4752223198&caption=%F0%9F%93%B8Screenshot%20take

https://api.telegram.org/bot8173512948:AAGBtWAKwGvAy49MjeMJTGmkJFfofJmU7DI/sendDocument?chat_id=-4752223198&caption=%E2%9C%85Files%20uploade

Targets

    • Target

      Output.exe

    • Size

      22.1MB

    • MD5

      cd348179244167083c704754e338418b

    • SHA1

      14b336e1a1b6d044d298e3a63b0617b2cb6ade8a

    • SHA256

      38a988e6fe88aa893cb28797a54153e7f2de8688b4e908edcaa6ffebcd72b9e9

    • SHA512

      b58995e445056e8a9d76395467160d56608b67ab0a04641f6b5f73546793880facc4479ec1662648cfe8d394288ffda5270445452e7742872958f76a5d1c9a43

    • SSDEEP

      393216:yx/1Iko48uNHJohfQ4jsl1efcbzP3DCDVimIX0LAKt0rCAc:yx/138qWn42fUDC/iLWAc

    Score
    10/10
    gurcudiscoverypersistencepyinstallerspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks