gurcu | 5188c69bd772ebe6ca8b34e8c08eec90f63ffcf1d6ab20287e074732da21076a

Sharing

Copy URL

Twitter E-mail

General

Target

jet.zip
Size

112.6MB
Sample

240715-2ey8rasepq
MD5

de779c3b4e36d82762dfc61ce9c9bbf2
SHA1

6fbd58a60b3095ac4be7700006237ca9a3f5772e
SHA256

5188c69bd772ebe6ca8b34e8c08eec90f63ffcf1d6ab20287e074732da21076a
SHA512

71f857ae4bd5565654c1b4bb049e082d0f4a7d0fa8cb2d789581a35b9cc956f6855f295fb65156721e95c20af6291e2a735067647ed46d46e7f9def021546948
SSDEEP

3145728:HtfPhRs9D5Zi+mHm47bSZvkG5MQbZ+mSUvh044h:HtfPnsLZi+mHm4XSZ35MAB044

Score

10^/10

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/sendMessage?chat_id=6024388590

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  jet.zip
- Size
  
  112.6MB
- MD5
  
  de779c3b4e36d82762dfc61ce9c9bbf2
- SHA1
  
  6fbd58a60b3095ac4be7700006237ca9a3f5772e
- SHA256
  
  5188c69bd772ebe6ca8b34e8c08eec90f63ffcf1d6ab20287e074732da21076a
- SHA512
  
  71f857ae4bd5565654c1b4bb049e082d0f4a7d0fa8cb2d789581a35b9cc956f6855f295fb65156721e95c20af6291e2a735067647ed46d46e7f9def021546948
- SSDEEP
  
  3145728:HtfPhRs9D5Zi+mHm47bSZvkG5MQbZ+mSUvh044h:HtfPnsLZi+mHm4XSZ35MAB044
Score

1^/10
behavioral1 behavioral2
- Target
  
  jet/crack.dll
- Size
  
  2.3MB
- MD5
  
  10f5e8139433eb7087c7946c0659cdf2
- SHA1
  
  a5ed6ad5115e3d1a9b274d5132ee51d94ccdf568
- SHA256
  
  031ba5a69b202f5d7a5dccb8fe7795aa711acdcf9d122e776f08badfd24a510e
- SHA512
  
  413638b28320378930c33726246eae113925e7034d05503d4e0277402c600f850f8d96d0c259925d7dcac1abb12353c0935dec7f466013d523bd4075be621d48
- SSDEEP
  
  49152:XwFdjXhom+KbllCmGFZYCY+DWefdmjLdGGf:4om+KboYCY+TfdmjLdGGf
Score

1^/10
behavioral3 behavioral4
- Target
  
  jet/jet.exe
- Size
  
  34.2MB
- MD5
  
  5e06053d551d8d4030796d1f962aba92
- SHA1
  
  6cf2351a65be0515dc1392b59902774f476c36e8
- SHA256
  
  1ed92d4e3caae52e8b39dbe22d031c4a057355befa038045ebc7383e1da1f9b9
- SHA512
  
  9ecc16aa0c0e8ed6d817b701e86a6db320c7167d399349bd97f109dfade95d6ee3f786dd4b2004e0e396a090fb509633aea6bbe46065853a3abf42f3c2782bee
- SSDEEP
  
  786432:VuXHiRyc0PacOHzeMKVxzx5cfOHzeMKVxzx5cU5FRA3L:VuXHLc0PacOHzDCd5cfOHzDCd5cUzRO
Score

7^/10
- Loads dropped DLL
behavioral5 behavioral6
- Target
  
  jet.pyc
- Size
  
  43KB
- MD5
  
  26607351ccf2e9de1e035344be8dfcda
- SHA1
  
  5c38d2794b360b866fd3bd040ab033fd3007dff7
- SHA256
  
  def71c9a9d3ac683b7b7d22ba4d8658cd53a0521ee1ec17cecf7f66646c75192
- SHA512
  
  c5605bbb93e988a4f0aca6d7171bab2240c7f0f116c9e0290a45f40c5f2c387813ba4e40a5097cf913fcb7e30eeabbace261292b4184cfdf922fc43be9e6a78d
- SSDEEP
  
  768:jL5tse7c8cULSHrzJQRKc7Rr7R7O0AFzgN3FBcw2muyc:jlWUZ8rzJQR7Rr7R70KNpm
Score

3^/10
behavioral7 behavioral8
- Target
  
  jet/loader.exe
- Size
  
  39.3MB
- MD5
  
  cb5900d8c99b9b2b8391c5e07de93048
- SHA1
  
  21434e75d38c698a924a28a39498f230ba1e23f2
- SHA256
  
  53d60f5a2e65c6aae90eb6e9f872cd381fc152f33e8227bef5fe27d61e09ceb3
- SHA512
  
  148be276c6a8b98971c975c27a7b4d27146667b80447198d09777131b2dd5511de51db3ded5b3d04b72a85f12f772792e0590427c3cbceb2b1d9b5420d9d205d
- SSDEEP
  
  786432:vp039FS+ab44n6ASQSc6k00CZcKoTMS4n4BgmpHvT6CKrftQKN:vps9Fnab4+6DQSc6JUCSC4hH2CKLtQK
Score

10^/10

gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Contacts a large (1225) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  main.pyc
- Size
  
  437B
- MD5
  
  e3a83cc96bc468e8ed5e99b61ab1b08c
- SHA1
  
  fc094fba9141e8ace98cce0309e1472b2471b631
- SHA256
  
  893f6af6a7c380817dd8a1e5f63e72225b82c9775dc8ca40a449ed86c0427932
- SHA512
  
  6d629486b39cef47bd2ce9b79ff792eebee83e4bdcbb30a756aabcbce75473a732ce2f3e89f0d200a4f9dc98765ce07538a9737cd428b2b372a6d36f4e78630d
Score

3^/10
behavioral11 behavioral12