gurcu | ffba2de6237d1542f5b596e5f44be49ea9183253193d598ff0ca328ad6131d1a

General

Target

systemuser32.exe
Size

20.6MB
Sample

241122-crrxrssmbs
MD5

e481a457b7e963581ea60a9cff53f150
SHA1

71c44a94492747a651c6cee7e99cade3ae314dc4
SHA256

ffba2de6237d1542f5b596e5f44be49ea9183253193d598ff0ca328ad6131d1a
SHA512

dcb9f4321281b291c96798a5e04b7e2b9fca4c1f6720387b047440f484757008d7b3cfa16c2ad2f8758a5e2fd204e20b5f94252772a0a31fd265be98233e5103
SSDEEP

393216:ZVIREJbgCTGGATTgGO09XCrgBIPg17XmH65jivecT/h41Sba:ZVIREJbgCSGKkGfXxIY17e65evbhKi

Score

10^/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8147453376:AAH9OczfUjJYs_rv_HXDnIDbgNHN2ScBehg/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot8147453376:AAH9OczfUjJYs_rv_HXDnIDbgNHN2ScBehg/sendMessage?chat_id=-4541669277

https://api.telegram.org/bot8147453376:AAH9OczfUjJYs_rv_HXDnIDbgNHN2ScBehg/getUpdates?offset=-

https://api.telegram.org/bot8147453376:AAH9OczfUjJYs_rv_HXDnIDbgNHN2ScBehg/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  systemuser32.exe
- Size
  
  20.6MB
- MD5
  
  e481a457b7e963581ea60a9cff53f150
- SHA1
  
  71c44a94492747a651c6cee7e99cade3ae314dc4
- SHA256
  
  ffba2de6237d1542f5b596e5f44be49ea9183253193d598ff0ca328ad6131d1a
- SHA512
  
  dcb9f4321281b291c96798a5e04b7e2b9fca4c1f6720387b047440f484757008d7b3cfa16c2ad2f8758a5e2fd204e20b5f94252772a0a31fd265be98233e5103
- SSDEEP
  
  393216:ZVIREJbgCTGGATTgGO09XCrgBIPg17XmH65jivecT/h41Sba:ZVIREJbgCSGKkGfXxIY17e65evbhKi
Score

10^/10

gurcu milleniumrat discovery persistence pyinstaller rat spyware stealer
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Milleniumrat family
  milleniumrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
behavioral1