General

  • Target

    system user.exe

  • Size

    16.2MB

  • Sample

    241122-aygz2a1jax

  • MD5

    b46ff65472aba689f7cdd2b81cd42142

  • SHA1

    16251509795e6126f8883e97180c197f713dc88c

  • SHA256

    d0596d6ec9df77425df57135e143609cb95e2d5817dbf59632081a3940d3bc61

  • SHA512

    be7c2989ef10225183aa6fe7f356c1b96b7bed3e2cd99a7d99b80d89337b6666efd0c1a75227505f1e3fa2e3ab99dcf67c1bf933549724b5c695b6c44cc090f3

  • SSDEEP

    393216:t4A662tOh7skhs2n5nXaBIteAhOBq1FS8pbGReR9gyLp/dh:t4AotuI2sNI9S8p7RCyLp/dh

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7822501916:AAHa6lPJ5KfvRLcTm8nATPQ9AUCR8cMhsy0/sendDocument?chat_id=-4585616644&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7822501916:AAHa6lPJ5KfvRLcTm8nATPQ9AUCR8cMhsy0/sendMessage?chat_id=-4585616644

https://api.telegram.org/bot7822501916:AAHa6lPJ5KfvRLcTm8nATPQ9AUCR8cMhsy0/getUpdates?offset=-

https://api.telegram.org/bot7822501916:AAHa6lPJ5KfvRLcTm8nATPQ9AUCR8cMhsy0/sendDocument?chat_id=-4585616644&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      system user.exe

    • Size

      16.2MB

    • MD5

      b46ff65472aba689f7cdd2b81cd42142

    • SHA1

      16251509795e6126f8883e97180c197f713dc88c

    • SHA256

      d0596d6ec9df77425df57135e143609cb95e2d5817dbf59632081a3940d3bc61

    • SHA512

      be7c2989ef10225183aa6fe7f356c1b96b7bed3e2cd99a7d99b80d89337b6666efd0c1a75227505f1e3fa2e3ab99dcf67c1bf933549724b5c695b6c44cc090f3

    • SSDEEP

      393216:t4A662tOh7skhs2n5nXaBIteAhOBq1FS8pbGReR9gyLp/dh:t4AotuI2sNI9S8p7RCyLp/dh

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

    • Milleniumrat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks