General

  • Target

    maple.rar

  • Size

    83.6MB

  • Sample

    240723-ml2vws1emg

  • MD5

    5496bbda0f232739693181b75449651d

  • SHA1

    6ead70b12fbe4531997c3ea926c7b063d3774993

  • SHA256

    45a32a4a46e916adfb5017ef80f07b7410f04879cd75193fedce951ba1751ced

  • SHA512

    e11145b8b3ffcfc43cde8b8f002c5607275ab80bd502126ceee4b616915b1f887a33536b9d1a6ffea82b37e696a23acaa829b7cf58b16d81b1e9236c8a750d72

  • SSDEEP

    1572864:juAoNPdn4+nKVQDd75zrPu5IdW6fZoNTLjqCJNekAKSO4OTLgpjK8SAsUja3J8/d:iFznKurPohjqCakQvWgpeThUu3JAtZ

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getFile?file_id=BQACAgEAAyEFAASF2AHzAAJz-Gafh664uIZnssGDtL90HQABf1hdaQACiwUAAgfw-UTJKDlgBMq34TU

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/sendMessage?chat_id=6024388590

https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getFile?file_id=BQACAgEAAyEFAASF2AHzAAJz-2afh8OP68OQK8tJxiuMpGDOlXyyAAKMBQACB_D5RIRDQC1ku1wRNQ

Targets

    • Target

      maple.rar

    • Size

      83.6MB

    • MD5

      5496bbda0f232739693181b75449651d

    • SHA1

      6ead70b12fbe4531997c3ea926c7b063d3774993

    • SHA256

      45a32a4a46e916adfb5017ef80f07b7410f04879cd75193fedce951ba1751ced

    • SHA512

      e11145b8b3ffcfc43cde8b8f002c5607275ab80bd502126ceee4b616915b1f887a33536b9d1a6ffea82b37e696a23acaa829b7cf58b16d81b1e9236c8a750d72

    • SSDEEP

      1572864:juAoNPdn4+nKVQDd75zrPu5IdW6fZoNTLjqCJNekAKSO4OTLgpjK8SAsUja3J8/d:iFznKurPohjqCakQvWgpeThUu3JAtZ

    Score
    3/10
    • Target

      maple/Maple.exe

    • Size

      74.8MB

    • MD5

      87dbbc1ff26b8f7e5cbe56b8f7d4d406

    • SHA1

      c731816d542d527c25b0ce6269a573b8eb486e9b

    • SHA256

      f7821841c7f10c253f9e34f91e38cea853244afc0103561647598c707ff26742

    • SHA512

      2196b39219865c2efd75fa678b0e4723951a2a2f48094c410ddcff4b9ef59e35cb946788487130085f77826868abfe3e7c35cbb80389c3e4d59adedce860086c

    • SSDEEP

      1572864:Aps9Fnab4+6DQSc6JUCSi0HTq1/3LmSGnxnkqbHbcT7IMpeQW/0FKAGCYK:wzx6cSgC0HMVGnDbHbc5peu9GCYK

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Contacts a large (2526) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      main.pyc

    • Size

      437B

    • MD5

      e3a83cc96bc468e8ed5e99b61ab1b08c

    • SHA1

      fc094fba9141e8ace98cce0309e1472b2471b631

    • SHA256

      893f6af6a7c380817dd8a1e5f63e72225b82c9775dc8ca40a449ed86c0427932

    • SHA512

      6d629486b39cef47bd2ce9b79ff792eebee83e4bdcbb30a756aabcbce75473a732ce2f3e89f0d200a4f9dc98765ce07538a9737cd428b2b372a6d36f4e78630d

    Score
    3/10
    • Target

      maple/assets/avatars/image.png

    • Size

      9KB

    • MD5

      5f7eb1034bafd175dc02891dd4053fbb

    • SHA1

      fa825c4e990621bc21d58d09277643f5eca96f88

    • SHA256

      f2eebedf2d777ac44b09f761a61b51b3411d1bc3687a6801ccaec45eaaa689bb

    • SHA512

      107f27bc7685473f63eb4e674973cf97a65a3212f4114def849c71eb59e2f13f51c61312b57e490f5565075a74184ace4f6a3c26a1e6c8095803509fe1c4034e

    • SSDEEP

      192:ISWi29akgO8zkHdkDcdFVKSkAjtKbO2EaGKkMP4ui6IkULA/:Pr248VHdxFSAjEO2EaNg6Ikd/

    Score
    3/10
    • Target

      maple/assets/config.json

    • Size

      149B

    • MD5

      ee9db446b33f463ca8f558873c6fff7e

    • SHA1

      d40efe04626a430d9c9c1b8db90dbd1110d8e2f8

    • SHA256

      09962830609b0d1d5b286ad3e178245cfc152caa278d660b5b0a3dc21559547e

    • SHA512

      7babaeb3edf9a7fcb9da804c5c1c53ce8abfeb91f83774a60bd538ca3c0bb4afb29f0afeb4ebb00bb51575a8c8d7011900367b92643925a1e585f2e73fba86d8

    Score
    3/10
    • Target

      maple/crack.dll

    • Size

      5.0MB

    • MD5

      b5b1b26e855eda6268b9a2008e0fce86

    • SHA1

      d7925f7de5835e3564b187d8654bb9305ea945fb

    • SHA256

      06dec4f9857f7b9a43157756606546d04a0f34c87681c7db9aab9125a43b33a7

    • SHA512

      14ad2e93ed5876dd246ce6f32674e994b4f35a5acbb1ac46388bebc682a70ce4eca974fda102c273c71dae3c9bc7b69f965fd636cb2d5c579de9cd23e8b35799

    • SSDEEP

      98304:j+YCYfXbb8DckgAEhxWiHF/5DoNZ2qkFVwz7583lfdmjLdGGf:jP8QDDRF/eNsqgiZ

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

    • Target

      maple/loader.exe

    • Size

      5.3MB

    • MD5

      e630d72436e3dc1be7763de7f75b7adf

    • SHA1

      40e07b22ab8b69e6827f90e20aeac35757899a23

    • SHA256

      59818142f41895d3cadf7bee0124b392af3473060f00b9548daa3a224223993e

    • SHA512

      82f0be15e2736447fae7d9a313a8a81a2c6e6ca617539ff8bf3fa0d2fe93d96e68afea6964e96e9dd671ba4090ddbc8a759c9b68f10e24a7fb847fe2c9825a83

    • SSDEEP

      98304:MY5XZjNqBeNp4iSgPKpQ9CKhqkaIWvO9SYCxBKXyaxVdb+tSVGHyYDMMl7qg7:MYpMeNp4irCmWISnTz2VtIVDMg7n7

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Contacts a large (2506) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks