General
-
Target
system user.exe
-
Size
16.2MB
-
Sample
241122-aygz2a1jax
-
MD5
b46ff65472aba689f7cdd2b81cd42142
-
SHA1
16251509795e6126f8883e97180c197f713dc88c
-
SHA256
d0596d6ec9df77425df57135e143609cb95e2d5817dbf59632081a3940d3bc61
-
SHA512
be7c2989ef10225183aa6fe7f356c1b96b7bed3e2cd99a7d99b80d89337b6666efd0c1a75227505f1e3fa2e3ab99dcf67c1bf933549724b5c695b6c44cc090f3
-
SSDEEP
393216:t4A662tOh7skhs2n5nXaBIteAhOBq1FS8pbGReR9gyLp/dh:t4AotuI2sNI9S8p7RCyLp/dh
Static task
static1
Behavioral task
behavioral1
Sample
system user.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7822501916:AAHa6lPJ5KfvRLcTm8nATPQ9AUCR8cMhsy0/sendDocument?chat_id=-4585616644&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot7822501916:AAHa6lPJ5KfvRLcTm8nATPQ9AUCR8cMhsy0/sendMessage?chat_id=-4585616644
https://api.telegram.org/bot7822501916:AAHa6lPJ5KfvRLcTm8nATPQ9AUCR8cMhsy0/getUpdates?offset=-
https://api.telegram.org/bot7822501916:AAHa6lPJ5KfvRLcTm8nATPQ9AUCR8cMhsy0/sendDocument?chat_id=-4585616644&caption=%F0%9F%93%B8Screenshot%20take
Targets
-
-
Target
system user.exe
-
Size
16.2MB
-
MD5
b46ff65472aba689f7cdd2b81cd42142
-
SHA1
16251509795e6126f8883e97180c197f713dc88c
-
SHA256
d0596d6ec9df77425df57135e143609cb95e2d5817dbf59632081a3940d3bc61
-
SHA512
be7c2989ef10225183aa6fe7f356c1b96b7bed3e2cd99a7d99b80d89337b6666efd0c1a75227505f1e3fa2e3ab99dcf67c1bf933549724b5c695b6c44cc090f3
-
SSDEEP
393216:t4A662tOh7skhs2n5nXaBIteAhOBq1FS8pbGReR9gyLp/dh:t4AotuI2sNI9S8p7RCyLp/dh
-
Gurcu family
-
Milleniumrat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1