Overview

overview

10

Static

static

3

main.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    main.exe

  • Size

    21.8MB

  • Sample

    241112-xcmpqa1rek

  • MD5

    19357874ab2c14b465bcc43d07405678

  • SHA1

    c8b663846548072121348370e2cae35848d34297

  • SHA256

    acef066fdca2c635e88282a8f7abedfea5a06af622929e2832baac37b4546a1e

  • SHA512

    3f5205fe245bd3fdb15ec4bf1e97dbf866b3c6bbdc2fb2724de44bf95ee9a8a4d04f46a971c7bf257b162f0b9bd3eed480468b868b156defb414f0662681578d

  • SSDEEP

    393216:V8i/CcMYyS1IIsLcgsATkdP+e3yIJJjF9eTSlUN9VBbED5oYYq4FDD:V8iqW1nkcgsACV8EUNhI1R4F

Score
10/10
gurcumilleniumratdiscoverypersistencepyinstallerratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7752972529:AAHedm62YGOXvoySs5l3sDtJXaKftSTKqvg/sendDocument?chat_id=-4591618577&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20138.199.29.44%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

https://api.telegram.org/bot7752972529:AAHedm62YGOXvoySs5l3sDtJXaKftSTKqvg/sendDocument?chat_id=-4591618577&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7752972529:AAHedm62YGOXvoySs5l3sDtJXaKftSTKqvg/sendMessage?chat_id=-4591618577

https://api.telegram.org/bot7752972529:AAHedm62YGOXvoySs5l3sDtJXaKftSTKqvg/getUpdates?offset=-

https://api.telegram.org/bot7752972529:AAHedm62YGOXvoySs5l3sDtJXaKftSTKqvg/sendDocument?chat_id=-4591618577&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      main.exe

    • Size

      21.8MB

    • MD5

      19357874ab2c14b465bcc43d07405678

    • SHA1

      c8b663846548072121348370e2cae35848d34297

    • SHA256

      acef066fdca2c635e88282a8f7abedfea5a06af622929e2832baac37b4546a1e

    • SHA512

      3f5205fe245bd3fdb15ec4bf1e97dbf866b3c6bbdc2fb2724de44bf95ee9a8a4d04f46a971c7bf257b162f0b9bd3eed480468b868b156defb414f0662681578d

    • SSDEEP

      393216:V8i/CcMYyS1IIsLcgsATkdP+e3yIJJjF9eTSlUN9VBbED5oYYq4FDD:V8iqW1nkcgsACV8EUNhI1R4F

    Score
    10/10
    gurcumilleniumratdiscoverypersistencepyinstallerratspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

      ratstealermilleniumrat

    • Milleniumrat family

      milleniumrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks