General

  • Target

    2025-06-02_0ef481c3d110d931c6dcd016e065c9e5_black-basta_chapak_cova_cryptbot_darkgate_dcrat_elex_hawkeye_luca-stealer

  • Size

    2.7MB

  • Sample

    250602-lhbzmahq6s

  • MD5

    0ef481c3d110d931c6dcd016e065c9e5

  • SHA1

    974799a1337909ecea90b580e04d837a68c88a08

  • SHA256

    4f22748956c9ec725df67a7729730ae3d56f88dc37db966abfc3a7557bbdb69a

  • SHA512

    e95256b9014f422dcc3ffda1b335152ac91bbb31155aead87b2056b6def4f185d05ccae88436731dd34c7b908f9484126c41f506b5893ffa9d5b0a2fcb0acc8a

  • SSDEEP

    49152:IbA30jpaKbkdZxtjneeQF0EzvRulLIwOpdea21xKMMWETLePnWxAsi:IbLpatbzeJFpvRqYSa21xyGwAsi

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7334804430:AAENpRr0uhF8YrTPMjVYxba7iorvVu_gBKo/sendPhoto?chat_id=7334804430&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20794d7f46e3d95f299406a657b7bbf24c75ca3da1%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20LZGONBTJ%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.85%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CWindows%5CShellExperiences%5Cupfc.ex

https://api.telegram.org/bot7334804430:AAENpRr0uhF8YrTPMjVYxba7iorvVu_gBKo/sendMessage?chat_id=7334804430

Targets

    • Target

      2025-06-02_0ef481c3d110d931c6dcd016e065c9e5_black-basta_chapak_cova_cryptbot_darkgate_dcrat_elex_hawkeye_luca-stealer

    • Size

      2.7MB

    • MD5

      0ef481c3d110d931c6dcd016e065c9e5

    • SHA1

      974799a1337909ecea90b580e04d837a68c88a08

    • SHA256

      4f22748956c9ec725df67a7729730ae3d56f88dc37db966abfc3a7557bbdb69a

    • SHA512

      e95256b9014f422dcc3ffda1b335152ac91bbb31155aead87b2056b6def4f185d05ccae88436731dd34c7b908f9484126c41f506b5893ffa9d5b0a2fcb0acc8a

    • SSDEEP

      49152:IbA30jpaKbkdZxtjneeQF0EzvRulLIwOpdea21xKMMWETLePnWxAsi:IbLpatbzeJFpvRqYSa21xyGwAsi

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v16

Tasks