Overview

overview

10

Static

static

3

built5.exe

windows7-x64

7

built5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    built5.exe

  • Size

    5.6MB

  • Sample

    241123-bqds3stqgw

  • MD5

    af665ca613378a7baa5957873e44f012

  • SHA1

    90b5fcd90fe41cbea206882278081ea22407a612

  • SHA256

    09736cb6459eb75e8ef0849cbde1e3f2daf5f32b3f8d2c9d04872d27b04e3180

  • SHA512

    da95438c6698f358f4919c067255ec7016fc76ec0872b5ee860f548f1d4ae851b7a6cd95fe678526f1e742dfef0e1d995cde40cae79231549ccaf8e7af2dbe75

  • SSDEEP

    98304:/itl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:/zOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score
10/10
gurcumilleniumratdiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8148978559:AAHyAO9EbSDcVmo-hjivSy2jb1M3VJ-Z2kU/sendDocument?chat_id=-4586442307&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot8148978559:AAHyAO9EbSDcVmo-hjivSy2jb1M3VJ-Z2kU/sendMessage?chat_id=-4586442307

https://api.telegram.org/bot8148978559:AAHyAO9EbSDcVmo-hjivSy2jb1M3VJ-Z2kU/getUpdates?offset=-

https://api.telegram.org/bot8148978559:AAHyAO9EbSDcVmo-hjivSy2jb1M3VJ-Z2kU/sendDocument?chat_id=-4586442307&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      built5.exe

    • Size

      5.6MB

    • MD5

      af665ca613378a7baa5957873e44f012

    • SHA1

      90b5fcd90fe41cbea206882278081ea22407a612

    • SHA256

      09736cb6459eb75e8ef0849cbde1e3f2daf5f32b3f8d2c9d04872d27b04e3180

    • SHA512

      da95438c6698f358f4919c067255ec7016fc76ec0872b5ee860f548f1d4ae851b7a6cd95fe678526f1e742dfef0e1d995cde40cae79231549ccaf8e7af2dbe75

    • SSDEEP

      98304:/itl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:/zOuK6mn9NzgMoYkSIvUcwti7TQlvciE

    Score
    10/10
    discoverygurcumilleniumratpersistenceratspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

      ratstealermilleniumrat

    • Milleniumrat family

      milleniumrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks