Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

03423b8784...12.exe

windows7-x64

10

03423b8784...12.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    03423b8784cac66602f6dc04f6303668951e9c7280a80535a708d59e6cf82312.exe

  • Size

    135KB

  • Sample

    250318-cge58asvfv

  • MD5

    ea08b197bbe8bc874a5c65500db03bf2

  • SHA1

    3cbe0f9a6bb6c1600e196d3c2b54132c72ccce0d

  • SHA256

    03423b8784cac66602f6dc04f6303668951e9c7280a80535a708d59e6cf82312

  • SHA512

    1baa6ee1970ae01c916d00a2727016a458d3bc6a43c9cfe707ccf73d687c190e88781a596661ee302feae53c5671f478a552177d74ce2a4334ad4daa5674bf10

  • SSDEEP

    1536:k3WaMTxYajhMDWWWxD4krrQz46vdszbLpQqVD9bMEqb01XTmUOr87dOPAUVHWHth:6ajYWCkrr3wdAbbD9bMEqo1AWz7bPCe

Score
10/10
gurcucollectiondiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage?chat_id=7259165684

http://206.166.251.4:8080

http://167.99.138.249:8080

http://46.4.73.118:9000

http://206.189.109.146:80

http://194.164.198.113:8080

http://45.82.65.63:80

https://5.196.181.135:443

http://95.216.147.179:80

http://185.217.98.121:8080

http://116.202.101.219:8080

http://185.217.98.121:80

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

https://44.228.161.50:443

https://154.9.207.142:443

http://66.42.56.128:80

http://8.219.110.16:9999

https://138.2.92.67:443

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7972507107:AAE0InlBzYqTeRUoXqUM9ewqhQJZRxDPcsE/sendMessage?chat_id=7259165684

Targets

    • Target

      03423b8784cac66602f6dc04f6303668951e9c7280a80535a708d59e6cf82312.exe

    • Size

      135KB

    • MD5

      ea08b197bbe8bc874a5c65500db03bf2

    • SHA1

      3cbe0f9a6bb6c1600e196d3c2b54132c72ccce0d

    • SHA256

      03423b8784cac66602f6dc04f6303668951e9c7280a80535a708d59e6cf82312

    • SHA512

      1baa6ee1970ae01c916d00a2727016a458d3bc6a43c9cfe707ccf73d687c190e88781a596661ee302feae53c5671f478a552177d74ce2a4334ad4daa5674bf10

    • SSDEEP

      1536:k3WaMTxYajhMDWWWxD4krrQz46vdszbLpQqVD9bMEqb01XTmUOr87dOPAUVHWHth:6ajYWCkrr3wdAbbD9bMEqo1AWz7bPCe

    Score
    10/10
    gurcucollectiondiscoverypersistenceprivilege_escalationspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks