General
-
Target
https://mega.nz/file/t3kESB5b#5n0VPvVRYZOHqb_cnVQNqslCsvI9qsIP3h8Xl0RpYyA
-
Sample
240825-wbe3tawdjc
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/t3kESB5b#5n0VPvVRYZOHqb_cnVQNqslCsvI9qsIP3h8Xl0RpYyA
Resource
win10v2004-20240802-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.26%20kb
https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendMessage?chat_id=2024893777
https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/getUpdates?offset=-
https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take
Targets
-
-
Target
https://mega.nz/file/t3kESB5b#5n0VPvVRYZOHqb_cnVQNqslCsvI9qsIP3h8Xl0RpYyA
-
Android 888 RAT payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1