gurcu | 03423b8784cac66602f6dc04f6303668951e9c7280a80535a708d59e6cf82312 | Triage

Sharing

General

Target

ea08b197bbe8bc874a5c65500db03bf2.exe
Size

135KB
Sample

250317-njxc3ayvbz
MD5

ea08b197bbe8bc874a5c65500db03bf2
SHA1

3cbe0f9a6bb6c1600e196d3c2b54132c72ccce0d
SHA256

03423b8784cac66602f6dc04f6303668951e9c7280a80535a708d59e6cf82312
SHA512

1baa6ee1970ae01c916d00a2727016a458d3bc6a43c9cfe707ccf73d687c190e88781a596661ee302feae53c5671f478a552177d74ce2a4334ad4daa5674bf10
SSDEEP

1536:k3WaMTxYajhMDWWWxD4krrQz46vdszbLpQqVD9bMEqb01XTmUOr87dOPAUVHWHth:6ajYWCkrr3wdAbbD9bMEqo1AWz7bPCe

Score

10^/10

gurcu collection discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage?chat_id=7259165684

http://206.166.251.4:8080

http://167.99.138.249:8080

http://46.4.73.118:9000

http://206.189.109.146:80

http://194.164.198.113:8080

http://45.82.65.63:80

https://5.196.181.135:443

http://95.216.147.179:80

http://185.217.98.121:8080

http://116.202.101.219:8080

http://185.217.98.121:80

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

https://44.228.161.50:443

https://154.9.207.142:443

http://66.42.56.128:80

http://8.219.110.16:9999

https://138.2.92.67:443

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage?chat_id=7259165684

Targets

- Target
  
  ea08b197bbe8bc874a5c65500db03bf2.exe
- Size
  
  135KB
- MD5
  
  ea08b197bbe8bc874a5c65500db03bf2
- SHA1
  
  3cbe0f9a6bb6c1600e196d3c2b54132c72ccce0d
- SHA256
  
  03423b8784cac66602f6dc04f6303668951e9c7280a80535a708d59e6cf82312
- SHA512
  
  1baa6ee1970ae01c916d00a2727016a458d3bc6a43c9cfe707ccf73d687c190e88781a596661ee302feae53c5671f478a552177d74ce2a4334ad4daa5674bf10
- SSDEEP
  
  1536:k3WaMTxYajhMDWWWxD4krrQz46vdszbLpQqVD9bMEqb01XTmUOr87dOPAUVHWHth:6ajYWCkrr3wdAbbD9bMEqo1AWz7bPCe
Score

10^/10

gurcu collection discovery persistence privilege_escalation spyware stealer
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gurcucollectiondiscoverypersistenceprivilege_escalationspywarestealer

behavioral2

gurcucollectiondiscoverypersistenceprivilege_escalationspywarestealer