General

  • Target

    mainmenunotFUD.exe

  • Size

    16.2MB

  • Sample

    241122-2pks4s1nbv

  • MD5

    72e3eb7e641fd4c32335ed5201683d9a

  • SHA1

    f63651ae7a673b5b459796aebaf5b7f0c76c0687

  • SHA256

    a495b85839d5632aab568ff0a41aeeceb0c949bffe99980d097a28027c454fdc

  • SHA512

    d4428cd7224ac5382cd7c9761230905ea027126a4717fcd58e646721029c2c327ed7580d0d1b2ac16c444db3d40969a4ec718694960e24e2229113c45a978e8d

  • SSDEEP

    393216:z1Mn5D38U+pzCq+hqavItKM+0myAZGwCH+DKp3n:z1M5DD+pzz4DAt+yq5CkM

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8041920254:AAEtB3Eho08Y3ijoyHy_UbKVMS-UjEdwbrQ/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot8041920254:AAEtB3Eho08Y3ijoyHy_UbKVMS-UjEdwbrQ/sendMessage?chat_id=-4541669277

https://api.telegram.org/bot8041920254:AAEtB3Eho08Y3ijoyHy_UbKVMS-UjEdwbrQ/getUpdates?offset=-

https://api.telegram.org/bot8041920254:AAEtB3Eho08Y3ijoyHy_UbKVMS-UjEdwbrQ/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      mainmenunotFUD.exe

    • Size

      16.2MB

    • MD5

      72e3eb7e641fd4c32335ed5201683d9a

    • SHA1

      f63651ae7a673b5b459796aebaf5b7f0c76c0687

    • SHA256

      a495b85839d5632aab568ff0a41aeeceb0c949bffe99980d097a28027c454fdc

    • SHA512

      d4428cd7224ac5382cd7c9761230905ea027126a4717fcd58e646721029c2c327ed7580d0d1b2ac16c444db3d40969a4ec718694960e24e2229113c45a978e8d

    • SSDEEP

      393216:z1Mn5D38U+pzCq+hqavItKM+0myAZGwCH+DKp3n:z1M5DD+pzz4DAt+yq5CkM

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

    • Milleniumrat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks