gurcu | 58a48260cbae6b5e3f6420ee6320556a1d1c4917d116023011930cb1333d0969

General

Target

downloader.exe
Size

10.7MB
Sample

241112-z1fmes1gjr
MD5

d44f974c0efa908700088c5188369415
SHA1

00926907398eaad7db18bf1a9cc982f1b80e9e28
SHA256

58a48260cbae6b5e3f6420ee6320556a1d1c4917d116023011930cb1333d0969
SHA512

cd63b3cd26b1e13c3098c953af6391a113954d414e1c6649b81b0a5ecc6ae9ebbd8493b759771cc489e2f822cd128fa7f35e8bb0413a3acc85a3bcd83c540654
SSDEEP

196608:YTkgYsVEoc/TLx4hz7DIxyhwfI9jACSgYBYvgaHf+iITxLmA6Pk:CtrVEJTGz7krI7SgYB6CT5i

Score

10^/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7752972529:AAHedm62YGOXvoySs5l3sDtJXaKftSTKqvg/sendDocument?chat_id=-4591618577&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7752972529:AAHedm62YGOXvoySs5l3sDtJXaKftSTKqvg/sendMessage?chat_id=-4591618577

https://api.telegram.org/bot7752972529:AAHedm62YGOXvoySs5l3sDtJXaKftSTKqvg/getUpdates?offset=-

https://api.telegram.org/bot7752972529:AAHedm62YGOXvoySs5l3sDtJXaKftSTKqvg/sendDocument?chat_id=-4591618577&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20138.199.29.44%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

https://api.telegram.org/bot7752972529:AAHedm62YGOXvoySs5l3sDtJXaKftSTKqvg/sendDocument?chat_id=-4591618577&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  downloader.exe
- Size
  
  10.7MB
- MD5
  
  d44f974c0efa908700088c5188369415
- SHA1
  
  00926907398eaad7db18bf1a9cc982f1b80e9e28
- SHA256
  
  58a48260cbae6b5e3f6420ee6320556a1d1c4917d116023011930cb1333d0969
- SHA512
  
  cd63b3cd26b1e13c3098c953af6391a113954d414e1c6649b81b0a5ecc6ae9ebbd8493b759771cc489e2f822cd128fa7f35e8bb0413a3acc85a3bcd83c540654
- SSDEEP
  
  196608:YTkgYsVEoc/TLx4hz7DIxyhwfI9jACSgYBYvgaHf+iITxLmA6Pk:CtrVEJTGz7krI7SgYB6CT5i
Score

10^/10

gurcu milleniumrat discovery persistence pyinstaller rat spyware stealer upx
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Milleniumrat family
  milleniumrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1