gurcu | 34443c63e5b3678dfd5df2e83fb1c70dcad8fbaa658a25bcde512e216e8d4a1c

General

Target

file.exe
Size

5.6MB
Sample

241213-ck49hsvnet
MD5

3442efc1a403eaeee70cc2a6729ee87b
SHA1

9fcc1af6ba397c0fcfb979af53e2e76c406e6080
SHA256

34443c63e5b3678dfd5df2e83fb1c70dcad8fbaa658a25bcde512e216e8d4a1c
SHA512

869bf4a24dbafe05a43872c6ff0ff437685df6dba97519fc1a58ce96ea2166a01162a77043f4ff52d488301e3d7f34f7c9c71cfa19b4ebad512a626c8ca43dca
SSDEEP

98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcG:tWOuK6mn9NzgMoYkSIvUcwti7TQlvcih

Score

10^/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendMessage?chat_id=7538374929

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/getUpdates?offset=-

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  file.exe
- Size
  
  5.6MB
- MD5
  
  3442efc1a403eaeee70cc2a6729ee87b
- SHA1
  
  9fcc1af6ba397c0fcfb979af53e2e76c406e6080
- SHA256
  
  34443c63e5b3678dfd5df2e83fb1c70dcad8fbaa658a25bcde512e216e8d4a1c
- SHA512
  
  869bf4a24dbafe05a43872c6ff0ff437685df6dba97519fc1a58ce96ea2166a01162a77043f4ff52d488301e3d7f34f7c9c71cfa19b4ebad512a626c8ca43dca
- SSDEEP
  
  98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcG:tWOuK6mn9NzgMoYkSIvUcwti7TQlvcih
Score

10^/10

discovery gurcu milleniumrat rat spyware stealer
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Milleniumrat family
  milleniumrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2