gurcu | 45a32a4a46e916adfb5017ef80f07b7410f04879cd75193fedce951ba1751ced | Triage

Submit
Reports

Overview

overview

Static

static

3

maple.rar

windows7-x64

3

maple.rar

windows10-2004-x64

3

maple/Maple.exe

windows7-x64

7

maple/Maple.exe

windows10-2004-x64

main.pyc

windows7-x64

3

main.pyc

windows10-2004-x64

3

maple/asse...ge.png

windows7-x64

3

maple/asse...ge.png

windows10-2004-x64

3

maple/asse...g.json

windows7-x64

3

maple/asse...g.json

windows10-2004-x64

3

maple/crack.dll

windows7-x64

9

maple/crack.dll

windows10-2004-x64

9

maple/loader.exe

windows7-x64

7

maple/loader.exe

windows10-2004-x64

Sharing

General

Target

maple.rar
Size

83.6MB
Sample

240717-e818wayfpa
MD5

5496bbda0f232739693181b75449651d
SHA1

6ead70b12fbe4531997c3ea926c7b063d3774993
SHA256

45a32a4a46e916adfb5017ef80f07b7410f04879cd75193fedce951ba1751ced
SHA512

e11145b8b3ffcfc43cde8b8f002c5607275ab80bd502126ceee4b616915b1f887a33536b9d1a6ffea82b37e696a23acaa829b7cf58b16d81b1e9236c8a750d72
SSDEEP

1572864:juAoNPdn4+nKVQDd75zrPu5IdW6fZoNTLjqCJNekAKSO4OTLgpjK8SAsUja3J8/d:iFznKurPohjqCakQvWgpeThUu3JAtZ

Score

10^/10

gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

maple.rar

Resource

win7-20240704-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

maple.rar

Resource

win10v2004-20240709-en

windows10-2004-x64

3 signatures

150 seconds

Behavioral task

behavioral3

Sample

maple/Maple.exe

Resource

win7-20240705-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral4

Sample

maple/Maple.exe

Resource

win10v2004-20240709-en

gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx

windows10-2004-x64

34 signatures

150 seconds

Behavioral task

behavioral5

Sample

main.pyc

Resource

win7-20240704-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral6

Sample

main.pyc

Resource

win10v2004-20240709-en

windows10-2004-x64

3 signatures

150 seconds

Behavioral task

behavioral7

Sample

maple/assets/avatars/image.png

Resource

win7-20240704-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral8

Sample

maple/assets/avatars/image.png

Resource

win10v2004-20240709-en

windows10-2004-x64

1 signatures

150 seconds

Behavioral task

behavioral9

Sample

maple/assets/config.json

Resource

win7-20240705-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral10

Sample

maple/assets/config.json

Resource

win10v2004-20240709-en

windows10-2004-x64

3 signatures

150 seconds

Behavioral task

behavioral11

Sample

maple/crack.dll

Resource

win7-20240705-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral12

Sample

maple/crack.dll

Resource

win10v2004-20240709-en

windows10-2004-x64

3 signatures

150 seconds

Behavioral task

behavioral13

Sample

maple/loader.exe

Resource

win7-20240708-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral14

Sample

maple/loader.exe

Resource

win10v2004-20240709-en

gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx

windows10-2004-x64

44 signatures

150 seconds

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  maple.rar
- Size
  
  83.6MB
- MD5
  
  5496bbda0f232739693181b75449651d
- SHA1
  
  6ead70b12fbe4531997c3ea926c7b063d3774993
- SHA256
  
  45a32a4a46e916adfb5017ef80f07b7410f04879cd75193fedce951ba1751ced
- SHA512
  
  e11145b8b3ffcfc43cde8b8f002c5607275ab80bd502126ceee4b616915b1f887a33536b9d1a6ffea82b37e696a23acaa829b7cf58b16d81b1e9236c8a750d72
- SSDEEP
  
  1572864:juAoNPdn4+nKVQDd75zrPu5IdW6fZoNTLjqCJNekAKSO4OTLgpjK8SAsUja3J8/d:iFznKurPohjqCakQvWgpeThUu3JAtZ
Score

3^/10
behavioral1 behavioral2
- Target
  
  maple/Maple.exe
- Size
  
  74.8MB
- MD5
  
  87dbbc1ff26b8f7e5cbe56b8f7d4d406
- SHA1
  
  c731816d542d527c25b0ce6269a573b8eb486e9b
- SHA256
  
  f7821841c7f10c253f9e34f91e38cea853244afc0103561647598c707ff26742
- SHA512
  
  2196b39219865c2efd75fa678b0e4723951a2a2f48094c410ddcff4b9ef59e35cb946788487130085f77826868abfe3e7c35cbb80389c3e4d59adedce860086c
- SSDEEP
  
  1572864:Aps9Fnab4+6DQSc6JUCSi0HTq1/3LmSGnxnkqbHbcT7IMpeQW/0FKAGCYK:wzx6cSgC0HMVGnDbHbc5peu9GCYK
Score

10^/10

upx gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Contacts a large (520) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  main.pyc
- Size
  
  437B
- MD5
  
  e3a83cc96bc468e8ed5e99b61ab1b08c
- SHA1
  
  fc094fba9141e8ace98cce0309e1472b2471b631
- SHA256
  
  893f6af6a7c380817dd8a1e5f63e72225b82c9775dc8ca40a449ed86c0427932
- SHA512
  
  6d629486b39cef47bd2ce9b79ff792eebee83e4bdcbb30a756aabcbce75473a732ce2f3e89f0d200a4f9dc98765ce07538a9737cd428b2b372a6d36f4e78630d
Score

3^/10
behavioral5 behavioral6
- Target
  
  maple/assets/avatars/image.png
- Size
  
  9KB
- MD5
  
  5f7eb1034bafd175dc02891dd4053fbb
- SHA1
  
  fa825c4e990621bc21d58d09277643f5eca96f88
- SHA256
  
  f2eebedf2d777ac44b09f761a61b51b3411d1bc3687a6801ccaec45eaaa689bb
- SHA512
  
  107f27bc7685473f63eb4e674973cf97a65a3212f4114def849c71eb59e2f13f51c61312b57e490f5565075a74184ace4f6a3c26a1e6c8095803509fe1c4034e
- SSDEEP
  
  192:ISWi29akgO8zkHdkDcdFVKSkAjtKbO2EaGKkMP4ui6IkULA/:Pr248VHdxFSAjEO2EaNg6Ikd/
Score

3^/10
behavioral7 behavioral8
- Target
  
  maple/assets/config.json
- Size
  
  149B
- MD5
  
  ee9db446b33f463ca8f558873c6fff7e
- SHA1
  
  d40efe04626a430d9c9c1b8db90dbd1110d8e2f8
- SHA256
  
  09962830609b0d1d5b286ad3e178245cfc152caa278d660b5b0a3dc21559547e
- SHA512
  
  7babaeb3edf9a7fcb9da804c5c1c53ce8abfeb91f83774a60bd538ca3c0bb4afb29f0afeb4ebb00bb51575a8c8d7011900367b92643925a1e585f2e73fba86d8
Score

3^/10
behavioral10 behavioral9
- Target
  
  maple/crack.dll
- Size
  
  5.0MB
- MD5
  
  b5b1b26e855eda6268b9a2008e0fce86
- SHA1
  
  d7925f7de5835e3564b187d8654bb9305ea945fb
- SHA256
  
  06dec4f9857f7b9a43157756606546d04a0f34c87681c7db9aab9125a43b33a7
- SHA512
  
  14ad2e93ed5876dd246ce6f32674e994b4f35a5acbb1ac46388bebc682a70ce4eca974fda102c273c71dae3c9bc7b69f965fd636cb2d5c579de9cd23e8b35799
- SSDEEP
  
  98304:j+YCYfXbb8DckgAEhxWiHF/5DoNZ2qkFVwz7583lfdmjLdGGf:jP8QDDRF/eNsqgiZ
Score

9^/10

evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  evasion trojan
behavioral11 behavioral12
- Target
  
  maple/loader.exe
- Size
  
  5.3MB
- MD5
  
  e630d72436e3dc1be7763de7f75b7adf
- SHA1
  
  40e07b22ab8b69e6827f90e20aeac35757899a23
- SHA256
  
  59818142f41895d3cadf7bee0124b392af3473060f00b9548daa3a224223993e
- SHA512
  
  82f0be15e2736447fae7d9a313a8a81a2c6e6ca617539ff8bf3fa0d2fe93d96e68afea6964e96e9dd671ba4090ddbc8a759c9b68f10e24a7fb847fe2c9825a83
- SSDEEP
  
  98304:MY5XZjNqBeNp4iSgPKpQ9CKhqkaIWvO9SYCxBKXyaxVdb+tSVGHyYDMMl7qg7:MYpMeNp4irCmWISnTz2VtIVDMg7n7
Score

10^/10

gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Contacts a large (1138) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral13 behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Network Service Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

gurcumilleniumratdiscoveryevasionexecutionpersistencepyinstallerratspywarestealerupx

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

gurcumilleniumratdiscoveryevasionexecutionpersistencepyinstallerratspywarestealerupx

© 2018-2024

Terms | Privacy