Overview

overview

10

Static

static

3

2025-04-08...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-04-08_cd553ce7a31bac1a44b761dd831b1089_black-basta_hijackloader_luca-stealer

  • Size

    5.7MB

  • Sample

    250408-jj4d6a1my8

  • MD5

    cd553ce7a31bac1a44b761dd831b1089

  • SHA1

    a54f6d76cc6576e661ac793b085aa2da04f57349

  • SHA256

    a808f1f3c67e9ce64442115e902b375f4b30628359460a284d05ab2d0fdbcea9

  • SHA512

    00a85f996c40fd76bef66b0678a1572e993991267aa44bf80359a9a264b97c22943ca5f4d1adfbc55f0d634185de97ccbbde1a6f4551694f6e56461a08db7cca

  • SSDEEP

    98304:kWl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UczF:ktOuK6mn9NzgMoYkSIvUcwti7TQlvcik

Score
10/10
gurcucredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7985592397:AAFVMPiVHwyHikIzOgkAVrO_09lBQbg0bYY/sendDocument?chat_id=5279643894&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20212.102.63.147%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

Targets

    • Target

      2025-04-08_cd553ce7a31bac1a44b761dd831b1089_black-basta_hijackloader_luca-stealer

    • Size

      5.7MB

    • MD5

      cd553ce7a31bac1a44b761dd831b1089

    • SHA1

      a54f6d76cc6576e661ac793b085aa2da04f57349

    • SHA256

      a808f1f3c67e9ce64442115e902b375f4b30628359460a284d05ab2d0fdbcea9

    • SHA512

      00a85f996c40fd76bef66b0678a1572e993991267aa44bf80359a9a264b97c22943ca5f4d1adfbc55f0d634185de97ccbbde1a6f4551694f6e56461a08db7cca

    • SSDEEP

      98304:kWl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UczF:ktOuK6mn9NzgMoYkSIvUcwti7TQlvcik

    Score
    10/10
    gurcucredential_accessdiscoveryspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks