gurcu | 7ad4e4c87ee10590f37f68da3480ed6727a13eb2c95ca3b0c14ab4250b06cadd

General

Target

s.exe
Size

18.9MB
Sample

240721-gdpygavene
MD5

0ffb0d17b199b2748b2f16e98e441f94
SHA1

b792e0a9bcb22981651be78d9820f77a7d579479
SHA256

7ad4e4c87ee10590f37f68da3480ed6727a13eb2c95ca3b0c14ab4250b06cadd
SHA512

f125846caace3d493334e33991907d64ba0622efbef9e12a5d0f5af832f57d238ac0ed009bbbd98a21145cd9248327ed556eaebb13dd2133089b60d47cc85232
SSDEEP

393216:ywIP6vlW6zvKl8O/GZ/VEyKBSZX+d+brPKLqT7GP8zHFpw:AP6Y6rG8O2IBSZZyW/GcFC

Score

10^/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/sendMessage?chat_id=6024388590

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  s.exe
- Size
  
  18.9MB
- MD5
  
  0ffb0d17b199b2748b2f16e98e441f94
- SHA1
  
  b792e0a9bcb22981651be78d9820f77a7d579479
- SHA256
  
  7ad4e4c87ee10590f37f68da3480ed6727a13eb2c95ca3b0c14ab4250b06cadd
- SHA512
  
  f125846caace3d493334e33991907d64ba0622efbef9e12a5d0f5af832f57d238ac0ed009bbbd98a21145cd9248327ed556eaebb13dd2133089b60d47cc85232
- SSDEEP
  
  393216:ywIP6vlW6zvKl8O/GZ/VEyKBSZX+d+brPKLqT7GP8zHFpw:AP6Y6rG8O2IBSZZyW/GcFC
Score

10^/10

milleniumrat evasion execution persistence pyinstaller rat spyware stealer gurcu discovery
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Contacts a large (1027) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2