General
-
Target
Output-crypted.exe
-
Size
17.6MB
-
Sample
241122-xcn8jswlht
-
MD5
8d0036ab63c25882fb33a835b36b251d
-
SHA1
ca34b15d5d6a8466f575559d54974d97f9e177b3
-
SHA256
65e448de6be19e84646ff821bc151f54e663883e882c25b8c43638170bd979a3
-
SHA512
f017f6a2bfc81af0dfbe0a9a3a00c031af80786d44bcde5c59bfcba92a06b0c3003722a55fdac79787d2c247a9cdb240d6e40ea753d9dcec3b2d8a2c30db82c9
-
SSDEEP
393216:U8V5h7DRcmbOscrN2V1ccUnMYL9lfDotlLUvoTaDBfRDlXzA:FhDbtU2V1qnvbfDotlLUvoTa9
Static task
static1
Behavioral task
behavioral1
Sample
Output-crypted.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8041920254:AAErt2Qj5PFwq2rCNeb5RylAVE1eFa18SL0/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot8041920254:AAErt2Qj5PFwq2rCNeb5RylAVE1eFa18SL0/sendMessage?chat_id=-4541669277
https://api.telegram.org/bot8041920254:AAErt2Qj5PFwq2rCNeb5RylAVE1eFa18SL0/getUpdates?offset=-
https://api.telegram.org/bot8041920254:AAErt2Qj5PFwq2rCNeb5RylAVE1eFa18SL0/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%B8Screenshot%20take
Targets
-
-
Target
Output-crypted.exe
-
Size
17.6MB
-
MD5
8d0036ab63c25882fb33a835b36b251d
-
SHA1
ca34b15d5d6a8466f575559d54974d97f9e177b3
-
SHA256
65e448de6be19e84646ff821bc151f54e663883e882c25b8c43638170bd979a3
-
SHA512
f017f6a2bfc81af0dfbe0a9a3a00c031af80786d44bcde5c59bfcba92a06b0c3003722a55fdac79787d2c247a9cdb240d6e40ea753d9dcec3b2d8a2c30db82c9
-
SSDEEP
393216:U8V5h7DRcmbOscrN2V1ccUnMYL9lfDotlLUvoTaDBfRDlXzA:FhDbtU2V1qnvbfDotlLUvoTa9
-
Gurcu family
-
Milleniumrat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1