Overview

overview

10

Static

static

3

a129d94c36...e9.exe

windows7-x64

7

a129d94c36...e9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1d0701d8fdc16df25fa0249b59aab042.bin

  • Size

    4.1MB

  • Sample

    241215-bgyf5a1pan

  • MD5

    fb8129995849ea1fb8d423cf98321c18

  • SHA1

    deb24918ac9a1dbc8c678ad45d6cb2b2215fa4fd

  • SHA256

    d0d1c39b9750ccb8b7bb70610185e077437f83811553b1a760072eaa395da779

  • SHA512

    3d181380e3ea4ff1879888b527cf628656931e737ce3a0d162f1616a9eb9f37c846e1d6bd782b2c3fec3dfd8032b59608a2c336476c8950034b4dcb95fa800c3

  • SSDEEP

    98304:TYsVs89syd+p0J6cHoxXoYZ9pqWP4LljY2L60tJbCw4:TQ8Z+A6L5pqWqjNBM

Score
10/10
gurcumilleniumratdiscoveryratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendMessage?chat_id=7538374929

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/getUpdates?offset=-

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe

    • Size

      5.6MB

    • MD5

      1d0701d8fdc16df25fa0249b59aab042

    • SHA1

      6028426f7e0a712a1aeae28d986337aafae26abe

    • SHA256

      a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9

    • SHA512

      f1e2cf861b86af37094192c7d110640c630944cee00542c7133fce703584e4ed08a3dae76c0c1afd30c4890e66d482fcc17c1eeb434ec711586c7ff0130c9e17

    • SSDEEP

      98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcA:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciP

    Score
    10/10
    discoverygurcumilleniumratratspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

      ratstealermilleniumrat

    • Milleniumrat family

      milleniumrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks