Extracted

• • Target

    main.exe

  • Size

    5.6MB

  • MD5

    3d3c49dd5d13a242b436e0a065cd6837

  • SHA1

    e38a773ffa08452c449ca5a880d89cfad24b6f1b

  • SHA256

    e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

  • SHA512

    dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

  • SSDEEP

    98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciY

  Score

  10^/10

  gurcumilleniumratpersistenceprivilege_escalationratspywarestealer

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • MilleniumRat

    MilleniumRat is a remote access trojan written in C#.

    ratstealermilleniumrat

  • Event Triggered Execution: Image File Execution Options Injection

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1

• • Target

    setup.exe

  • Size

    5.4MB

  • MD5

    1274cbcd6329098f79a3be6d76ab8b97

  • SHA1

    53c870d62dcd6154052445dc03888cdc6cffd370

  • SHA256

    bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

  • SHA512

    a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

  • SSDEEP

    98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4

  Score

  10^/10

  evasionexecution

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Stops running service(s)

    evasionexecution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral2

• • Target

    svchost.exe

  • Size

    12.0MB

  • MD5

    48b277a9ac4e729f9262dd9f7055c422

  • SHA1

    d7e8a3fa664e863243c967520897e692e67c5725

  • SHA256

    5c832eda59809a4f51dc779bb00bd964aad42f2597a1c9f935cfb37f0888ef17

  • SHA512

    66dd4d1a82103cd90c113df21eb693a2bffde2cde41f9f40b5b85368d5a920b66c3bc5cadaf9f9d74dfd0f499086bedd477f593184a7f755b7b210ef5e428941

  • SSDEEP

    196608:HWweM4sJFPpGAjMGhuPD5U4iDfyGgVwBdnpkYRMoSENsS3Mcj0kilsl:0SP8AxYDMDfDgVc6J4pMcj9Wsl

  Score

  9^/10

  discoverypersistence

  • Contacts a large (3137) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral3