gurcu | 45a32a4a46e916adfb5017ef80f07b7410f04879cd75193fedce951ba1751ced

General

Target

maple.rar
Size

83.6MB
Sample

240722-rs7ryatajn
MD5

5496bbda0f232739693181b75449651d
SHA1

6ead70b12fbe4531997c3ea926c7b063d3774993
SHA256

45a32a4a46e916adfb5017ef80f07b7410f04879cd75193fedce951ba1751ced
SHA512

e11145b8b3ffcfc43cde8b8f002c5607275ab80bd502126ceee4b616915b1f887a33536b9d1a6ffea82b37e696a23acaa829b7cf58b16d81b1e9236c8a750d72
SSDEEP

1572864:juAoNPdn4+nKVQDd75zrPu5IdW6fZoNTLjqCJNekAKSO4OTLgpjK8SAsUja3J8/d:iFznKurPohjqCakQvWgpeThUu3JAtZ

Score

10^/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  maple.rar
- Size
  
  83.6MB
- MD5
  
  5496bbda0f232739693181b75449651d
- SHA1
  
  6ead70b12fbe4531997c3ea926c7b063d3774993
- SHA256
  
  45a32a4a46e916adfb5017ef80f07b7410f04879cd75193fedce951ba1751ced
- SHA512
  
  e11145b8b3ffcfc43cde8b8f002c5607275ab80bd502126ceee4b616915b1f887a33536b9d1a6ffea82b37e696a23acaa829b7cf58b16d81b1e9236c8a750d72
- SSDEEP
  
  1572864:juAoNPdn4+nKVQDd75zrPu5IdW6fZoNTLjqCJNekAKSO4OTLgpjK8SAsUja3J8/d:iFznKurPohjqCakQvWgpeThUu3JAtZ
Score

10^/10

gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Contacts a large (3439) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1