General
-
Target
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe
-
Size
5.6MB
-
Sample
241111-dmk44a1jcx
-
MD5
3d3c49dd5d13a242b436e0a065cd6837
-
SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b
-
SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
-
SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00
-
SSDEEP
98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciY
Static task
static1
Behavioral task
behavioral1
Sample
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take
Targets
-
-
Target
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe
-
Size
5.6MB
-
MD5
3d3c49dd5d13a242b436e0a065cd6837
-
SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b
-
SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
-
SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00
-
SSDEEP
98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciY
-
Gurcu family
-
Milleniumrat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1