General
-
Target
mainmenunotFUD.exe
-
Size
16.2MB
-
Sample
241122-2pks4s1nbv
-
MD5
72e3eb7e641fd4c32335ed5201683d9a
-
SHA1
f63651ae7a673b5b459796aebaf5b7f0c76c0687
-
SHA256
a495b85839d5632aab568ff0a41aeeceb0c949bffe99980d097a28027c454fdc
-
SHA512
d4428cd7224ac5382cd7c9761230905ea027126a4717fcd58e646721029c2c327ed7580d0d1b2ac16c444db3d40969a4ec718694960e24e2229113c45a978e8d
-
SSDEEP
393216:z1Mn5D38U+pzCq+hqavItKM+0myAZGwCH+DKp3n:z1M5DD+pzz4DAt+yq5CkM
Static task
static1
Behavioral task
behavioral1
Sample
mainmenunotFUD.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
mainmenunotFUD.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8041920254:AAEtB3Eho08Y3ijoyHy_UbKVMS-UjEdwbrQ/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot8041920254:AAEtB3Eho08Y3ijoyHy_UbKVMS-UjEdwbrQ/sendMessage?chat_id=-4541669277
https://api.telegram.org/bot8041920254:AAEtB3Eho08Y3ijoyHy_UbKVMS-UjEdwbrQ/getUpdates?offset=-
https://api.telegram.org/bot8041920254:AAEtB3Eho08Y3ijoyHy_UbKVMS-UjEdwbrQ/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%B8Screenshot%20take
Targets
-
-
Target
mainmenunotFUD.exe
-
Size
16.2MB
-
MD5
72e3eb7e641fd4c32335ed5201683d9a
-
SHA1
f63651ae7a673b5b459796aebaf5b7f0c76c0687
-
SHA256
a495b85839d5632aab568ff0a41aeeceb0c949bffe99980d097a28027c454fdc
-
SHA512
d4428cd7224ac5382cd7c9761230905ea027126a4717fcd58e646721029c2c327ed7580d0d1b2ac16c444db3d40969a4ec718694960e24e2229113c45a978e8d
-
SSDEEP
393216:z1Mn5D38U+pzCq+hqavItKM+0myAZGwCH+DKp3n:z1M5DD+pzz4DAt+yq5CkM
-
Gurcu family
-
Milleniumrat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1