Extracted

• • Target

    systemuser32.exe

  • Size

    20.6MB

  • MD5

    e481a457b7e963581ea60a9cff53f150

  • SHA1

    71c44a94492747a651c6cee7e99cade3ae314dc4

  • SHA256

    ffba2de6237d1542f5b596e5f44be49ea9183253193d598ff0ca328ad6131d1a

  • SHA512

    dcb9f4321281b291c96798a5e04b7e2b9fca4c1f6720387b047440f484757008d7b3cfa16c2ad2f8758a5e2fd204e20b5f94252772a0a31fd265be98233e5103

  • SSDEEP

    393216:ZVIREJbgCTGGATTgGO09XCrgBIPg17XmH65jivecT/h41Sba:ZVIREJbgCSGKkGfXxIY17e65evbhKi

  Score

  10^/10

  discoveryexecutionpyinstallergurcumilleniumratpersistenceratspywarestealer

  • Gurcu family

    gurcu

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • MilleniumRat

    MilleniumRat is a remote access trojan written in C#.

    ratstealermilleniumrat

  • Milleniumrat family

    milleniumrat

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2