General

  • Target

    https://mega.nz/file/D8QXySgS#oaCPsQjxWQYOnqJF0GDRlUc1L5Lb0Pxo7BzoLAtkduE

  • Sample

    250604-btx15ayqx3

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7396142470:AAFvQ2Myxx59JurnFHB_gLTSXPNkel5cniA/sendPhoto?chat_id=8185181040&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20d4528144098942a05b9de976eb9b8c4aca92f949%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20XBBHRPZO%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.85%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CmsComponent%5CPortmonitor.ex

https://api.telegram.org/bot7396142470:AAFvQ2Myxx59JurnFHB_gLTSXPNkel5cniA/sendMessage?chat_id=8185181040

Targets

    • Target

      https://mega.nz/file/D8QXySgS#oaCPsQjxWQYOnqJF0GDRlUc1L5Lb0Pxo7BzoLAtkduE

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v16

Tasks