MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GurcuStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
SHA3-384 hash: 5fac4963c25a83cf769beb6fa9a3c29afb9478ed61b644926c5e207a7efa55c9826999a83bb2851ea881349940539d21
SHA1 hash: 23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
MD5 hash: a1ce7b26712e1db177d86fa87d09c354
humanhash: yellow-zebra-lemon-south
File name:a1ce7b26712e1db177d86fa87d09c354
Download: download sample
Signature GurcuStealer
Create hunting rule
File size:847'360 bytes
First seen:2023-05-26 17:22:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:IKY7z5GoJiGaq5auxKSjipNvJDK2WSqcIVr4vo1euUTyH2BQMyEp0mpefJ3Lww:G5GoR5amjipNvFK2LXG3VrEuqqJ8w
Threatray 1'826 similar samples on MalwareBazaar
TLSH T12605120533794753F6AA7BF5135156F017F6B96B7825E20A0DD6B3CF8A22F008A81B4B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe GurcuStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a1ce7b26712e1db177d86fa87d09c354
Verdict:
Malicious activity
Analysis date:
2023-05-26 17:23:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e91f525c-526c-45e7-80ee-0a1e47ec7458

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/392237/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.22191.32061.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6470eaf76abf73674178bf8b/reports/890eea01-7e01-425a-b5c1-09515f7ae02b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63c4d2c0-9c92-4bdd-baf4-5dd9021a8151
Result
Threat name:
Gurcu Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1243431
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Gurcu Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2023-05-26 17:23:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2ykypl6j3z2s75uoczy4u7t3aiuw43lmbai3gbizvpydywxz4ha._file
Verdict:
malicious
Similar samples:
032454dace97a2e1d466b0a2749f8a3fbaac125c110a89f43a1ecac98aa05b49
GurcuStealer
088dece027bdaff18c0f6ba9aecc17d2e55bc901ccfef1bbd02ca1f6eb367b1b
GurcuStealer
416529937e7d4b862e92650310ecc0ecdcb2aa8f43fcb8fa0dece926e5963203
GurcuStealer
5241d93369ff133d1aa4381a074806b10d37f414261f89f2198ef76d238b5ec1
GurcuStealer
53823b0378b9a17181fef455b3625e7909e703d600b480ffccc9a1c6d4232c4a
GurcuStealer
539b70f704ffff9cf973a032e01e39d31613a4ce7cd9939d84746d587d0a7ac9
GurcuStealer
7ef10437af99524e348b41e33c32a2c7c6270265b535700f3ec8c97f6c4f8a93
GurcuStealer
899407587a2e6e7c29947306df25f2a535f0616c4d1313f045c5b824fcc0a292
GurcuStealer
92bc5b745a6e3757f5ffbda877cb0b5725606d214642fc37f16ad0cf98c0cd9d
GurcuStealer
f84d789635e636040055b6e95077408820a412d66bb66934112a004ac24d9eba
GurcuStealer
+ 1'816 additional samples on MalwareBazaar
Result
Malware family:
gurcu
Create hunting rule
Score:
  10/10
Tags:
family:gurcu spyware stealer
Link:
https://tria.ge/reports/230526-vx44dsge73/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Gurcu, WhiteSnake
Malware Config
C2 Extraction:
https://api.telegram.org/bot5948365373:AAHGoShKq2YoPLHuMrakRbVNthbMABFYHUc/sendMessage?chat_id=-1001620069625
Unpacked files
SH256 hash:
1488f28821ee598d0a1bf9d066af1d9b14d562e539c7c88b59e40f578cb2cc2b
MD5 hash:
8d786483b22000580527fc0cc8c1877a
SHA1 hash:
d7736e21eaaf18ac7b057317706a75e3db9b7edc
Link:
https://www.unpac.me/results/3f2fe3d5-e716-4900-ab45-698c8cd4cbb5/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/3f2fe3d5-e716-4900-ab45-698c8cd4cbb5/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
06d96424a868e2f19b8b2011ed49987fb622fd5681a3c283fff7293676a860c9
MD5 hash:
1edfc3aede1abf6c8f08bedc73f0ba9f
SHA1 hash:
4564e3a8efd51de0277bb923faea906c4f718b8f
Link:
https://www.unpac.me/results/3f2fe3d5-e716-4900-ab45-698c8cd4cbb5/
SH256 hash:
1178a7d71f0681471d6fa3ad5ade9c9ca6a0eb725d234080fa7f8bcbb8f5b7f6
MD5 hash:
74b040ba51e8f5f5097461f3b2514c3c
SHA1 hash:
0d5d1728cfbb8238194e272a5411b8a146d9eed2
Link:
https://www.unpac.me/results/3f2fe3d5-e716-4900-ab45-698c8cd4cbb5/
SH256 hash:
aa55a49c4e26b6c0cfb3aa599f5cb5c6eae65e0a7884458e75614092d073cf5f
MD5 hash:
9d9bed3fb41b5b721aafd13220f48c73
SHA1 hash:
069c54846fffaf8ba3abc8f140a60dd9755ff20a
Link:
https://www.unpac.me/results/3f2fe3d5-e716-4900-ab45-698c8cd4cbb5/
SH256 hash:
b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e
MD5 hash:
a1ce7b26712e1db177d86fa87d09c354
SHA1 hash:
23d567e5ee4d4bf882f5d4ebe54643eecd921ef4
Link:
https://www.unpac.me/results/3f2fe3d5-e716-4900-ab45-698c8cd4cbb5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GurcuStealer

Executable exe b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2641689/
Cape
Cape
https://www.capesandbox.com/analysis/392237/

Comments


Avatar
zbet commented on 2023-05-26 17:22:36 UTC

url : hxxp://95.214.27.98/lend/1232.exe