Overview

overview

10

Static

static

3

scanjector.exe

windows7-x64

7

scanjector.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    scanjector.exe

  • Size

    17.4MB

  • Sample

    241229-c8q2sszpas

  • MD5

    00a089806c6d881d0716d38ca3f26f1f

  • SHA1

    14e6f87e781dfef16566cc0c85e7a1c2ce578bad

  • SHA256

    0c374469d4e9f2f0036e48f61c821e23416e41111792fa35e215886f3c0d5c46

  • SHA512

    5440ee4137d2415657dce424b98a15b44d07bf7784ec2fb07a7328bfe2a5a76a4d8cada61f9669ee4477e69d2e5ef752cd147c84f9523868c6690d82c9c3192d

  • SSDEEP

    393216:f/hnALfhy7zZYOY3iWkvdCsJjQ2SHjNKED9UQr:3pAjhyHZ+33o820rUQr

Score
10/10
gurcumilleniumratdiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8121099632:AAEGRQywapM__xBl2iPOZXa0Zc5KRb_4SgU/sendDocument?chat_id=-4770872927&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot8121099632:AAEGRQywapM__xBl2iPOZXa0Zc5KRb_4SgU/sendMessage?chat_id=-4770872927

https://api.telegram.org/bot8121099632:AAEGRQywapM__xBl2iPOZXa0Zc5KRb_4SgU/getUpdates?offset=-

https://api.telegram.org/bot8121099632:AAEGRQywapM__xBl2iPOZXa0Zc5KRb_4SgU/sendDocument?chat_id=-4770872927&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      scanjector.exe

    • Size

      17.4MB

    • MD5

      00a089806c6d881d0716d38ca3f26f1f

    • SHA1

      14e6f87e781dfef16566cc0c85e7a1c2ce578bad

    • SHA256

      0c374469d4e9f2f0036e48f61c821e23416e41111792fa35e215886f3c0d5c46

    • SHA512

      5440ee4137d2415657dce424b98a15b44d07bf7784ec2fb07a7328bfe2a5a76a4d8cada61f9669ee4477e69d2e5ef752cd147c84f9523868c6690d82c9c3192d

    • SSDEEP

      393216:f/hnALfhy7zZYOY3iWkvdCsJjQ2SHjNKED9UQr:3pAjhyHZ+33o820rUQr

    Score
    10/10
    discoverygurcumilleniumratpersistenceratspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

      ratstealermilleniumrat

    • Milleniumrat family

      milleniumrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks