Overview

overview

10

Static

static

3

system32.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    system32.exe

  • Size

    21.8MB

  • Sample

    241112-2jf8qssgll

  • MD5

    5c1a44c3055eaec0bc305e0dcc7a1476

  • SHA1

    7717068b90572e47d4efb3e1f3ef8b6c25d13b9b

  • SHA256

    9d39a47a791aba190c802ba11ecca267515f47e80169a3afa0bb267ee4e76360

  • SHA512

    5b266e58f09f324f3e83a1c07eafd08726ee61c5470667191a5a7ffdc122b94a24b06beb3c9e26d3caa8478b2df166232d8076d93fa3321434c9a499a1b7d5ee

  • SSDEEP

    393216:VxKTtgYz2DVrARX1dkOLYvvMjpXwhPGkAs/f2qbrK/Yb+0flxC1hNGW:7YzgVrelagevKXwLV3ro0flxC1L

Score
10/10
gurcumilleniumratdiscoverypersistencepyinstallerratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7752972529:AAEtMsfGe--_VCXGOgzbXYHwWxpOQxGFJN0/sendDocument?chat_id=-4591618577&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7752972529:AAEtMsfGe--_VCXGOgzbXYHwWxpOQxGFJN0/sendMessage?chat_id=-4591618577

https://api.telegram.org/bot7752972529:AAEtMsfGe--_VCXGOgzbXYHwWxpOQxGFJN0/getUpdates?offset=-

https://api.telegram.org/bot7752972529:AAEtMsfGe--_VCXGOgzbXYHwWxpOQxGFJN0/sendDocument?chat_id=-4591618577&caption=%F0%9F%93%B8Screenshot%20take

https://api.telegram.org/bot7752972529:AAEtMsfGe--_VCXGOgzbXYHwWxpOQxGFJN0/sendDocument?chat_id=-4591618577&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20138.199.29.44%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

Targets

    • Target

      system32.exe

    • Size

      21.8MB

    • MD5

      5c1a44c3055eaec0bc305e0dcc7a1476

    • SHA1

      7717068b90572e47d4efb3e1f3ef8b6c25d13b9b

    • SHA256

      9d39a47a791aba190c802ba11ecca267515f47e80169a3afa0bb267ee4e76360

    • SHA512

      5b266e58f09f324f3e83a1c07eafd08726ee61c5470667191a5a7ffdc122b94a24b06beb3c9e26d3caa8478b2df166232d8076d93fa3321434c9a499a1b7d5ee

    • SSDEEP

      393216:VxKTtgYz2DVrARX1dkOLYvvMjpXwhPGkAs/f2qbrK/Yb+0flxC1hNGW:7YzgVrelagevKXwLV3ro0flxC1L

    Score
    10/10
    gurcumilleniumratdiscoverypersistencepyinstallerratspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

      ratstealermilleniumrat

    • Milleniumrat family

      milleniumrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks