Overview

overview

10

Static

static

3

246be4970b...63.exe

windows7-x64

7

246be4970b...63.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63

  • Size

    5.6MB

  • Sample

    241207-tqepgswqgt

  • MD5

    9131ecd24f80c67f05d3a145e24251dd

  • SHA1

    52bde2feddadd2c5dfdad19a5303e78dd7b660d8

  • SHA256

    246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63

  • SHA512

    a49b6b6303210b5cb9a5f0ffe39f38c83027562c165abf50b823d45de978eadbfa319cbec4425089ea30be8e49796665c52207d799cb56467f76facecdc9b753

  • SSDEEP

    98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcM:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciD

Score
10/10
gurcumilleniumratdiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7515630646:AAEMGND3BFGtcBKf-CV4dQbyV510h-hLt8E/sendDocument?chat_id=7781867830&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7515630646:AAEMGND3BFGtcBKf-CV4dQbyV510h-hLt8E/sendMessage?chat_id=7781867830

https://api.telegram.org/bot7515630646:AAEMGND3BFGtcBKf-CV4dQbyV510h-hLt8E/getUpdates?offset=-

https://api.telegram.org/bot7515630646:AAEMGND3BFGtcBKf-CV4dQbyV510h-hLt8E/sendDocument?chat_id=7781867830&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63

    • Size

      5.6MB

    • MD5

      9131ecd24f80c67f05d3a145e24251dd

    • SHA1

      52bde2feddadd2c5dfdad19a5303e78dd7b660d8

    • SHA256

      246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63

    • SHA512

      a49b6b6303210b5cb9a5f0ffe39f38c83027562c165abf50b823d45de978eadbfa319cbec4425089ea30be8e49796665c52207d799cb56467f76facecdc9b753

    • SSDEEP

      98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcM:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciD

    Score
    10/10
    discoverygurcumilleniumratpersistenceratspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

      ratstealermilleniumrat

    • Milleniumrat family

      milleniumrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks