gurcu | 85d1a8a1b427c26b9b6d304658dcef90998687e1ca894293bbe335da9b79eb69

General

Target

Update.exe
Size

38.5MB
Sample

240627-scqzxsyfrj
MD5

e1677dda9029b6a47c09f89fadcb32fe
SHA1

2ba06de5df5348336de4218d8dfb08cb89687f29
SHA256

85d1a8a1b427c26b9b6d304658dcef90998687e1ca894293bbe335da9b79eb69
SHA512

5189213d706def83e4be07c2557dedf34e35c305a8453417083027c03d32822687fcd3d1d55778449d51ee97d4293fd7f489ef7a673bb956318f44c629bd5107
SSDEEP

786432:5RQBrMQP00pusvRWJ67Q/UBBf3gss9rUqJsQ5mmKr1+5dbRho:5ROrLLvRk/ywss5Jwkd

Score

10^/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/sendMessage?chat_id=6024388590

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  Update.exe
- Size
  
  38.5MB
- MD5
  
  e1677dda9029b6a47c09f89fadcb32fe
- SHA1
  
  2ba06de5df5348336de4218d8dfb08cb89687f29
- SHA256
  
  85d1a8a1b427c26b9b6d304658dcef90998687e1ca894293bbe335da9b79eb69
- SHA512
  
  5189213d706def83e4be07c2557dedf34e35c305a8453417083027c03d32822687fcd3d1d55778449d51ee97d4293fd7f489ef7a673bb956318f44c629bd5107
- SSDEEP
  
  786432:5RQBrMQP00pusvRWJ67Q/UBBf3gss9rUqJsQ5mmKr1+5dbRho:5ROrLLvRk/ywss5Jwkd
Score

10^/10

upx gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Contacts a large (1000) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2