General
-
Target
checker.exe
-
Size
27.3MB
-
Sample
241111-sa5ejazkay
-
MD5
b88f1340f5934f4e81a06b322cecae5c
-
SHA1
6b6d63fec4546ecde4eee6e710f0845fd84a19cf
-
SHA256
1f0a70334fb3a63b9c70cdfe01c012829cc380970cd6b12936f22d44e3c0e388
-
SHA512
80135012e70e24ba2aace76661900d95a2dceea2d5ecc184f7632df90f2b9153413806af9c2db2955abb852d908af34fc1a0f79c3ed2bcc09a17bbf79a86065c
-
SSDEEP
393216:PDfDoc6IuQEofCY7Zqr2/12IJ0jctBfVAAxCQvNjhFAsAiW1UTxgnQnWbexF9iRZ:Pb7nu+fCmxv6cCYC8hXKUVgQPtf4y3
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take
Targets
-
-
Target
checker.exe
-
Size
27.3MB
-
MD5
b88f1340f5934f4e81a06b322cecae5c
-
SHA1
6b6d63fec4546ecde4eee6e710f0845fd84a19cf
-
SHA256
1f0a70334fb3a63b9c70cdfe01c012829cc380970cd6b12936f22d44e3c0e388
-
SHA512
80135012e70e24ba2aace76661900d95a2dceea2d5ecc184f7632df90f2b9153413806af9c2db2955abb852d908af34fc1a0f79c3ed2bcc09a17bbf79a86065c
-
SSDEEP
393216:PDfDoc6IuQEofCY7Zqr2/12IJ0jctBfVAAxCQvNjhFAsAiW1UTxgnQnWbexF9iRZ:Pb7nu+fCmxv6cCYC8hXKUVgQPtf4y3
Score10/10-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Milleniumrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Contacts a large (1501) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1