MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b36ef72aaa0d415d8b11c46f330258ffee9dd5030e1c7a07398c706f7c048598. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GurcuStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b36ef72aaa0d415d8b11c46f330258ffee9dd5030e1c7a07398c706f7c048598
SHA3-384 hash: 6d56517782de1aaf86e78da745abfebb2f73648d68590211a751afd076a14e1a28e3e2d2daf142f8529af006e0f96ff6
SHA1 hash: 6a0d9eac1dffd5321c909adc2ac26ccc66470844
MD5 hash: 33a45fcbca9c96cf4d9f456d27d87820
humanhash: robin-oregon-skylark-south
File name:33a45fcbca9c96cf4d9f456d27d87820
Download: download sample
Signature GurcuStealer
Create hunting rule
File size:169'472 bytes
First seen:2023-04-04 03:49:51 UTC
Last seen:2023-04-04 04:29:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:/RYdMvZ75FI5cq29AzvWJNXiHzrlXuUu98pU9ED7+ltVswrdmb8MyJ+8bDvLJA:L7sBXHfleUu2U9U7+ltVswBm428bDD6
Threatray 496 similar samples on MalwareBazaar
TLSH T149F37D473B8882F2D8780C73BE93504E2B86BCF45A47C38AA5CBF1161DB17B5492A577
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6353535353131313 (2 x RedLineStealer, 1 x GurcuStealer, 1 x ExelaStealer)
Reporter zbetcheckin
Tags:32 exe GurcuStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
73b1586d7d158fac313a4a5d33545331.exe
Verdict:
Malicious activity
Analysis date:
2023-03-30 06:33:27 UTC
Tags:
rat redline trojan amadey loader
Link:
https://app.any.run/tasks/26856448-5171-4e1c-ae2b-d1ebe1b6c34c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379833/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.21255.10168.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Reading critical registry keys
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed
Link:
https://www.filescan.io/uploads/642b9e709c8d0c3b7bcac6ef/reports/43423ad9-0323-40ac-94b7-1423cd38c494/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b36ef72aaa0d415d8b11c46f330258ffee9dd5030e1c7a07398c706f7c048598
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
WhiteSnake
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/061a7695-9509-4d5b-8ca9-1b0e8cda2b0e
Result
Threat name:
Gurcu Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207670
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Gurcu Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b36ef72aaa0d415d8b11c46f330258ffee9dd5030e1c7a07398c706f7c048598/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 09:01:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wnxpokvkbvav3cyryrxtgasy77xj3vidbyohubzzrryg67aeqwma._file
Verdict:
malicious
Similar samples:
22d356755eee957f75b09e389ec629da6988502275bba71cd7f600a53033ba3a
GurcuStealer
259a26dbfb9e5e37b078e007d5cf4a7552cba457646c3c7da6a506f99fcbc2d9
GurcuStealer
3a156d1223d2420acadac6e2b8e9f27c4724515b4bf456fd34b4ad3aff36a8c4
GurcuStealer
99cb9ea998d774a077d760f6a767660a520bc882a73195b3cd0282c2e967fb13
GurcuStealer
c29ac11a91f5f0d9af18e4c5845abb6e024fe682e1287e76ccd6efc218240269
GurcuStealer
c7550cc0310b3d3a99b9cd02b33450a5735c2aa93cdd8a345b9a46d3fa1a9d61
GurcuStealer
d063eec4ec30ecc633469e28b06bf8288a9107cd9f16ea97720877a6f761e248
GurcuStealer
e100d262ff4cd2a62a8d08244336c4d68044d00c57117833280ae2e3d8f22341
GurcuStealer
e774b64170ea54274f9193e871da0412fa53835451f2f26277d9a474ff1ae7d5
GurcuStealer
+ 486 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230404-edxxzaee3s/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
49bb799a9128f04beea173856db60e3c062b07a65651e2368670a726f862da5e
MD5 hash:
259da1baa41c04dab3bb1593be908478
SHA1 hash:
887e15f9d84896815cba5ea1bd8e65269b925ce9
Link:
https://www.unpac.me/results/baed0c16-2485-4a80-baf7-c762fa0ffe18/
SH256 hash:
f72f47cf445891fd5abcdf28aa3127b4dbdae9dfff1a29b69558edc4f6f29b60
MD5 hash:
b8056dfddbe3dce7f9cfcacdaa0c226c
SHA1 hash:
5900476f998bdeddbebdcac55821945cc5d4a89d
Link:
https://www.unpac.me/results/baed0c16-2485-4a80-baf7-c762fa0ffe18/
SH256 hash:
b36ef72aaa0d415d8b11c46f330258ffee9dd5030e1c7a07398c706f7c048598
MD5 hash:
33a45fcbca9c96cf4d9f456d27d87820
SHA1 hash:
6a0d9eac1dffd5321c909adc2ac26ccc66470844
Link:
https://www.unpac.me/results/baed0c16-2485-4a80-baf7-c762fa0ffe18/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b36ef72aaa0d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b36ef72aaa0d415d8b11c46f330258ffee9dd5030e1c7a07398c706f7c048598

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GurcuStealer

Executable exe b36ef72aaa0d415d8b11c46f330258ffee9dd5030e1c7a07398c706f7c048598

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/379833/
  
URLhaus
https://urlhaus.abuse.ch/url/2596438/

Comments


Avatar
zbet commented on 2023-04-04 03:49:54 UTC

url : hxxp://193.233.20.36/lend/buildcr.exe