MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GurcuStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d
SHA3-384 hash: 33fc207c9cfaea8e5a98bcb77c0566d729aa84c407609e742ebd660cf14d5fab6a5997d9540738487b5c241cd7b230f3
SHA1 hash: 51a7a706529aca5b5e6f11f49081d69b895b6342
MD5 hash: a8f6a3eb27d8afa3aee2628739050bd5
humanhash: paris-two-florida-blue
File name:a8f6a3eb27d8afa3aee2628739050bd5
Download: download sample
Signature GurcuStealer
Create hunting rule
File size:348'672 bytes
First seen:2023-05-09 01:00:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:8A7O3csDSREZO2wVdHDpU+L5Vp9baED5xYE:lQpgGCHLfyEV6
TLSH T19D741B4C37C9FDE0EABF01FE78751355A3309C43922066061FEA69D71F926419ECA8E9
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 23272f2f2f2f2f0b (3 x AgentTesla, 2 x GurcuStealer, 2 x Formbook)
Reporter zbetcheckin
Tags:32 exe GurcuStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d
Verdict:
Malicious activity
Analysis date:
2023-05-08 22:31:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/55c6fe07-c366-4d0c-83fd-e32c4aa71882

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387627/
Detection(s):
SecuriteInfo.com.Trojan.Mardom.IN.24.19918.11755.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
DNS request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Sending an HTTP GET request
Sending a custom TCP request
Sending an HTTP POST request
Creating a file in the %temp% directory
Reading critical registry keys
Using the Windows Management Instrumentation requests
Moving a recently created file
Creating a window
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64599b4ed860ee3e1ca64ae3/reports/7dc78644-e2f5-4c18-8bb5-a646269ed3bd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f683401e-dd80-4519-b751-7ce23b138b7d
Result
Threat name:
Gurcu Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228771
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Gurcu Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 861735 Sample: oHDgvZCRAn.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 79 blockchain.com 2->79 103 Found malware configuration 2->103 105 Antivirus detection for URL or domain 2->105 107 Antivirus / Scanner detection for submitted sample 2->107 109 9 other signatures 2->109 11 oHDgvZCRAn.exe 7 2->11         started        16 test.exe 2->16         started        18 oHDgvZCRAn.exe 2 2->18         started        signatures3 process4 dnsIp5 93 192.168.2.1 unknown unknown 11->93 71 C:\Users\user\AppData\...\oHDgvZCRAn.exe, PE32 11->71 dropped 73 C:\Users\...\oHDgvZCRAn.exe:Zone.Identifier, ASCII 11->73 dropped 75 C:\Users\user\AppData\...\oHDgvZCRAn.exe.log, CSV 11->75 dropped 121 Self deletion via cmd or bat file 11->121 20 cmd.exe 1 11->20         started        123 Antivirus detection for dropped file 16->123 125 Multi AV Scanner detection for dropped file 16->125 127 Machine Learning detection for dropped file 16->127 23 tor.exe 16->23         started        25 WerFault.exe 16->25         started        file6 signatures7 process8 signatures9 111 Uses schtasks.exe or at.exe to add and modify task schedules 20->111 113 Uses ping.exe to check the status of other devices and networks 20->113 27 oHDgvZCRAn.exe 14 9 20->27         started        32 PING.EXE 1 20->32         started        34 conhost.exe 20->34         started        36 2 other processes 20->36 process10 dnsIp11 95 ip-api.com 208.95.112.1 TUT-ASUS United States 27->95 97 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 27->97 101 19 other IPs or domains 27->101 77 C:\Users\user\AppData\Local\test.exe, PE32 27->77 dropped 129 Antivirus detection for dropped file 27->129 131 Multi AV Scanner detection for dropped file 27->131 133 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->133 135 6 other signatures 27->135 38 test.exe 27->38         started        43 tar.exe 15 27->43         started        45 tor.exe 15 27->45         started        99 127.0.0.1 unknown unknown 32->99 file12 signatures13 process14 dnsIp15 81 www.eset.com 38->81 83 github.com 38->83 85 eset.com 38->85 61 C:\Users\user\AppData\Local61vidia\test.exe, PE32 38->61 dropped 115 Antivirus detection for dropped file 38->115 117 Multi AV Scanner detection for dropped file 38->117 119 Machine Learning detection for dropped file 38->119 47 cmd.exe 38->47         started        63 C:\Users\user\AppData\Local\...\tor.exe, PE32+ 43->63 dropped 65 C:\Users\user\AppData\...\tor-gencert.exe, PE32+ 43->65 dropped 67 C:\Users\user\...\snowflake-client.exe, PE32+ 43->67 dropped 69 C:\Users\user\AppData\...\obfs4proxy.exe, PE32+ 43->69 dropped 49 conhost.exe 43->49         started        87 23.175.32.11 NEUSTYLECA Canada 45->87 89 185.14.30.57 ITLDC-NLUA Ukraine 45->89 91 3 other IPs or domains 45->91 51 conhost.exe 45->51         started        file16 signatures17 process18 process19 53 conhost.exe 47->53         started        55 chcp.com 47->55         started        57 PING.EXE 47->57         started        59 2 other processes 47->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-05-08 00:26:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yjetrkdrsdpys2mguixz6zx3qrab3icm3ivfgwcwwdhj5lfsxugq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230509-bc7t1afd8s/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
6fd1b2c2803bfe212295b95ea859082a4a651d80e6121b8ebd1cd7ea188a940c
MD5 hash:
690fda5a23f48e4b9a96557d1a54d2c7
SHA1 hash:
62e8ea2e049c74f907880e1075752ca656ee2bce
Link:
https://www.unpac.me/results/85fe5db4-6f88-4abe-b51e-10779e0da869/
SH256 hash:
c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d
MD5 hash:
a8f6a3eb27d8afa3aee2628739050bd5
SHA1 hash:
51a7a706529aca5b5e6f11f49081d69b895b6342
Link:
https://www.unpac.me/results/85fe5db4-6f88-4abe-b51e-10779e0da869/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c24938a87190/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GurcuStealer

Executable exe c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2627406/
Cape
Cape
https://www.capesandbox.com/analysis/387627/
  
URLhaus
https://urlhaus.abuse.ch/url/2627422/

Comments


Avatar
zbet commented on 2023-05-09 01:00:59 UTC

url : hxxp://185.161.248.175/test.exe