General

  • Target

    main.exe

  • Size

    25.6MB

  • Sample

    241101-wdwhks1rdy

  • MD5

    9403791de3f59a172cae8b47c6aecf8b

  • SHA1

    d793a71ebc5aac8756c3e85a4b24b9f1a96d4442

  • SHA256

    43584ea9266aca9cb7c398685c7268594a0af3a961a09b4f3e74e3d1e3406c2a

  • SHA512

    c467ad5f383526f44e123575c4cfcd4a88aada69d04bbd02ffcf8dca4bbbf7f517f9ef145af6979d399614f88b427e42a25086d297d5ff6572ef30e61c80b808

  • SSDEEP

    786432:3bYfjiuF8MrwttA8V/ZVQ2bBjt9MDiXHmc4:3bjMrwttAuVQ2Vjtb4

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendDocument?chat_id=6024388590&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590

https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-

https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendDocument?chat_id=6024388590&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      main.exe

    • Size

      25.6MB

    • MD5

      9403791de3f59a172cae8b47c6aecf8b

    • SHA1

      d793a71ebc5aac8756c3e85a4b24b9f1a96d4442

    • SHA256

      43584ea9266aca9cb7c398685c7268594a0af3a961a09b4f3e74e3d1e3406c2a

    • SHA512

      c467ad5f383526f44e123575c4cfcd4a88aada69d04bbd02ffcf8dca4bbbf7f517f9ef145af6979d399614f88b427e42a25086d297d5ff6572ef30e61c80b808

    • SSDEEP

      786432:3bYfjiuF8MrwttA8V/ZVQ2bBjt9MDiXHmc4:3bjMrwttAuVQ2Vjtb4

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

    • Milleniumrat family

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks