Extracted

• • Target

    hacn.exe

  • Size

    24.0MB

  • MD5

    70d8f32540470db5df9d39deed7bd6cb

  • SHA1

    a14147440736d4f1427193cd206f519890b9f2f2

  • SHA256

    858bdc7b94a957a182492a2d21e096b2fb2ab5317ae9e3e882243ad80953227e

  • SHA512

    522fc6bc180c5e9e7bc60ece7404162692f0a7902923465082cf5449bc9d2f247b8e7d60f7f0bf5a24bf98fc07826b743a49b71eba406f6073990c3355944870

  • SSDEEP

    393216:VDfDoc6nS0ns/xgsJpQZ4qx0LVRCOIv09pgtmRFb4hOpLsLWV9hf4g:Vb7gnsWs/k4qIov09L8E9s6h

  Score

  10^/10

  gurcumilleniumratevasionexecutionpersistencepyinstallerratspywarestealer

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • MilleniumRat

    MilleniumRat is a remote access trojan written in C#.

    ratstealermilleniumrat

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2