Overview

overview

10

Static

static

3

built (3).exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    built (3).exe

  • Size

    5.6MB

  • Sample

    241112-2kkybasgmj

  • MD5

    341672988233011e8a9844c5915e1ba3

  • SHA1

    5dced09c57427e9a1f58176007e3f6a6a3c7bac4

  • SHA256

    6193641a4c0d946ee42bb7b2252d744bd847c7c4fcb86c92e903a9cc2db51420

  • SHA512

    e6933e809653e363dac0a8069fbc04e7950eb190ee8c99afcad4c54f7c9247783421363ab7eef87d9bc55b8c785862e52c7d5a33e0850405803a313bef9bdd26

  • SSDEEP

    98304:/itl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:/zOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score
10/10
gurcumilleniumratdiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7752972529:AAEtMsfGe--_VCXGOgzbXYHwWxpOQxGFJN0/sendDocument?chat_id=-4591618577&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7752972529:AAEtMsfGe--_VCXGOgzbXYHwWxpOQxGFJN0/sendMessage?chat_id=-4591618577

https://api.telegram.org/bot7752972529:AAEtMsfGe--_VCXGOgzbXYHwWxpOQxGFJN0/getUpdates?offset=-

https://api.telegram.org/bot7752972529:AAEtMsfGe--_VCXGOgzbXYHwWxpOQxGFJN0/sendDocument?chat_id=-4591618577&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      built (3).exe

    • Size

      5.6MB

    • MD5

      341672988233011e8a9844c5915e1ba3

    • SHA1

      5dced09c57427e9a1f58176007e3f6a6a3c7bac4

    • SHA256

      6193641a4c0d946ee42bb7b2252d744bd847c7c4fcb86c92e903a9cc2db51420

    • SHA512

      e6933e809653e363dac0a8069fbc04e7950eb190ee8c99afcad4c54f7c9247783421363ab7eef87d9bc55b8c785862e52c7d5a33e0850405803a313bef9bdd26

    • SSDEEP

      98304:/itl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:/zOuK6mn9NzgMoYkSIvUcwti7TQlvciE

    Score
    10/10
    gurcumilleniumratdiscoverypersistenceratspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

      ratstealermilleniumrat

    • Milleniumrat family

      milleniumrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks