Overview

overview

10

Static

static

3

23b25ce90f...f2.exe

windows7-x64

7

23b25ce90f...f2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    23b25ce90f70ffa0435db8df6a6764f2.exe

  • Size

    5.6MB

  • Sample

    241206-k1mcmszlf1

  • MD5

    23b25ce90f70ffa0435db8df6a6764f2

  • SHA1

    72d0c052f26309704f13c090495c3cdea4ed1bf2

  • SHA256

    9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3

  • SHA512

    b6c81131119b95df9d789329ffd4553c1624f7d9e38c46924ac4838e59ccb59b538646f36d8c80b9361412842f8c0328aa4177e93e72e22c15077669ee9904ec

  • SSDEEP

    98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score
10/10
gurcumilleniumratdiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendMessage?chat_id=7538374929

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/getUpdates?offset=-

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      23b25ce90f70ffa0435db8df6a6764f2.exe

    • Size

      5.6MB

    • MD5

      23b25ce90f70ffa0435db8df6a6764f2

    • SHA1

      72d0c052f26309704f13c090495c3cdea4ed1bf2

    • SHA256

      9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3

    • SHA512

      b6c81131119b95df9d789329ffd4553c1624f7d9e38c46924ac4838e59ccb59b538646f36d8c80b9361412842f8c0328aa4177e93e72e22c15077669ee9904ec

    • SSDEEP

      98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciE

    Score
    10/10
    discoverygurcumilleniumratpersistenceratspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

      ratstealermilleniumrat

    • Milleniumrat family

      milleniumrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks