Overview

overview

10

Static

static

10

nborepadiktad.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nborepadiktad.exe

  • Size

    154KB

  • Sample

    250405-pmw25symy5

  • MD5

    45c60c8cd85b2c5bf1e45d9cedffb0f5

  • SHA1

    44dcaed457ea5d71bdb8e363cda3571073072066

  • SHA256

    f8ca9367e456da03cb05e50cba8f20d36bf59035b0b42e4c149d143a12d9bf0a

  • SHA512

    e4833825aba49dd471cdbd912594da200f751837351cb68404867b158e9d078a95196012b1a6cffbe72e835f5a4001f10f969ae68303a2dbb452b08a6569099d

  • SSDEEP

    3072:tuBUoLruBEaO77ZKKf9bjPoppy7KQWlKdDsQOv:tuaoLiVO8Kf9bjAry7KQWGO

Score
10/10
gurcucollectiondiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8044316559:AAFBKJlXZImRdKtbDCT2g5_pK-tOr4SgrOo/sendMessage?chat_id=7099179555

http://96.9.124.250:8070

http://209.38.221.184:8080

http://46.235.26.83:8080

http://147.28.185.29:80

http://206.166.251.4:8080

http://51.159.4.50:8080

http://167.235.70.96:8080

http://194.164.198.113:8080

http://132.145.17.167:9090

https://5.196.181.135:443

http://116.202.101.219:8080

https://185.217.98.121:443

http://185.217.98.121:8080

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

http://65.49.205.24:8080

https://154.9.207.142:443

http://67.230.176.97:8080

Targets

    • Target

      nborepadiktad.exe

    • Size

      154KB

    • MD5

      45c60c8cd85b2c5bf1e45d9cedffb0f5

    • SHA1

      44dcaed457ea5d71bdb8e363cda3571073072066

    • SHA256

      f8ca9367e456da03cb05e50cba8f20d36bf59035b0b42e4c149d143a12d9bf0a

    • SHA512

      e4833825aba49dd471cdbd912594da200f751837351cb68404867b158e9d078a95196012b1a6cffbe72e835f5a4001f10f969ae68303a2dbb452b08a6569099d

    • SSDEEP

      3072:tuBUoLruBEaO77ZKKf9bjPoppy7KQWlKdDsQOv:tuaoLiVO8Kf9bjAry7KQWGO

    Score
    10/10
    gurcucollectiondiscoverypersistenceprivilege_escalationspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

1
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks