gurcu | 4e900c9d6afa9da8cb9ffa5db15bc2ce4b16220e0e69716cdc88e39882cbfd4c

General

Target

Combo Leacher.exe
Size

11.4MB
Sample

241123-djkzxssqbk
MD5

acd646973ccafe31e48299647203e38c
SHA1

e3c284e5d57043bac8de81a5a88fd619fa0b5d29
SHA256

4e900c9d6afa9da8cb9ffa5db15bc2ce4b16220e0e69716cdc88e39882cbfd4c
SHA512

3203cd7de93cb0b6f6250692a4f626985c7035366248d8be1b0c979dea549ae6fd62a5a739ff9dd18b839a9a6b027d6b80b59455672553604d00139ac7d3d6d4
SSDEEP

196608:s/igW75bLmJoiSE/FteRQ6Drt4AMfHweVjIehglJx31nVWctIIEtTK:saQo6teRHrt4A0QkphCJ1VtEtTK

Score

10^/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4590251468&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4594364141&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendMessage?chat_id=-4594364141

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/getUpdates?offset=-

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4594364141&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  Combo Leacher.exe
- Size
  
  11.4MB
- MD5
  
  acd646973ccafe31e48299647203e38c
- SHA1
  
  e3c284e5d57043bac8de81a5a88fd619fa0b5d29
- SHA256
  
  4e900c9d6afa9da8cb9ffa5db15bc2ce4b16220e0e69716cdc88e39882cbfd4c
- SHA512
  
  3203cd7de93cb0b6f6250692a4f626985c7035366248d8be1b0c979dea549ae6fd62a5a739ff9dd18b839a9a6b027d6b80b59455672553604d00139ac7d3d6d4
- SSDEEP
  
  196608:s/igW75bLmJoiSE/FteRQ6Drt4AMfHweVjIehglJx31nVWctIIEtTK:saQo6teRHrt4A0QkphCJ1VtEtTK
Score

10^/10

gurcu milleniumrat discovery persistence rat spyware stealer
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Milleniumrat family
  milleniumrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1