gurcu | a5919a19c11aad0d5952563ac07b653bb3b44e887b4614d64d5f29d1cc2ea274 | Triage

Submit
Reports

Overview

overview

Static

static

3

LoadingLoa...4_.exe

windows7-x64

7

LoadingLoa...4_.exe

windows10-2004-x64

Sharing

General

Target

LoadingLoader1.23.4_.exe
Size

117.7MB
Sample

240712-wqhr9awgnf
MD5

e9b978b3e9771add83cdbf69e8319d46
SHA1

b4813634d987ed20807a24c1feb0bb01913f34fd
SHA256

a5919a19c11aad0d5952563ac07b653bb3b44e887b4614d64d5f29d1cc2ea274
SHA512

ef69e12da23f529e3b4e33a175cc8baef0541aece4c43245e5e41ab99967cc0d4c267e85fc5326a69ce4d9f1fda00f5f0c65056335e6ad5adc74390fa8186552
SSDEEP

3145728:T3lAti03/gG5uyw3REfQmgE3XfXX4r6Wa2keVTBRdX9VoS3ftQSYG:ByiidMywhEfQHEn/c82PTTTN3ftQSYG

Score

10^/10

gurcu milleniumrat discovery evasion execution persistence privilege_escalation pyinstaller rat spyware stealer upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

LoadingLoader1.23.4_.exe

Resource

win7-20240708-en

execution pyinstaller upx

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

LoadingLoader1.23.4_.exe

Resource

win10v2004-20240709-en

gurcu milleniumrat discovery evasion execution persistence privilege_escalation pyinstaller rat spyware stealer upx

windows10-2004-x64

43 signatures

150 seconds

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  LoadingLoader1.23.4_.exe
- Size
  
  117.7MB
- MD5
  
  e9b978b3e9771add83cdbf69e8319d46
- SHA1
  
  b4813634d987ed20807a24c1feb0bb01913f34fd
- SHA256
  
  a5919a19c11aad0d5952563ac07b653bb3b44e887b4614d64d5f29d1cc2ea274
- SHA512
  
  ef69e12da23f529e3b4e33a175cc8baef0541aece4c43245e5e41ab99967cc0d4c267e85fc5326a69ce4d9f1fda00f5f0c65056335e6ad5adc74390fa8186552
- SSDEEP
  
  3145728:T3lAti03/gG5uyw3REfQmgE3XfXX4r6Wa2keVTBRdX9VoS3ftQSYG:ByiidMywhEfQHEn/c82PTTTN3ftQSYG
Score

10^/10

execution pyinstaller upx gurcu milleniumrat discovery evasion persistence privilege_escalation rat spyware stealer
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates VirtualBox DLL files
- Contacts a large (660) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

File and Directory Discovery

Network Service Discovery

Process Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

executionpyinstallerupx

behavioral2

gurcumilleniumratdiscoveryevasionexecutionpersistenceprivilege_escalationpyinstallerratspywarestealerupx

© 2018-2024

Terms | Privacy