Overview

overview

10

Static

static

1

2025-04-03...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-04-03_2c2efc29fc75c25b90e1472e30e7be0a_black-basta_hijackloader_luca-stealer

  • Size

    5.7MB

  • Sample

    250403-mhs4ksvwdy

  • MD5

    2c2efc29fc75c25b90e1472e30e7be0a

  • SHA1

    bf4d7300c88893be11e8b8c1cd84be7a421544ef

  • SHA256

    def69023e3e78c66804a4a7996607540cb2c6f57eeda633a04720ce39291b103

  • SHA512

    4bfc52b2abfbc478b37c29e4f642d63aa7031e502a637175e4c0e79b86a453f3e593e60a654f2f5fd2bebeb31c135c7c90d198ff738624d33d34dd3bbcdad5e7

  • SSDEEP

    98304:DWl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uczq:DtOuK6mn9NzgMoYkSIvUcwti7TQlvcij

Score
10/10
gurcucredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7762282231:AAHXw4eRj3GOllE1bbAM7ABgQpzu_mwXV8c/sendDocument?chat_id=-4788462796&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20212.102.63.147%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

Targets

    • Target

      2025-04-03_2c2efc29fc75c25b90e1472e30e7be0a_black-basta_hijackloader_luca-stealer

    • Size

      5.7MB

    • MD5

      2c2efc29fc75c25b90e1472e30e7be0a

    • SHA1

      bf4d7300c88893be11e8b8c1cd84be7a421544ef

    • SHA256

      def69023e3e78c66804a4a7996607540cb2c6f57eeda633a04720ce39291b103

    • SHA512

      4bfc52b2abfbc478b37c29e4f642d63aa7031e502a637175e4c0e79b86a453f3e593e60a654f2f5fd2bebeb31c135c7c90d198ff738624d33d34dd3bbcdad5e7

    • SSDEEP

      98304:DWl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uczq:DtOuK6mn9NzgMoYkSIvUcwti7TQlvcij

    Score
    10/10
    gurcucredential_accessdiscoveryspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks