Overview

overview

10

Static

static

3

2025-04-03...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-04-03_7cbfcf1b8eb95b00a52c8545858247f4_black-basta_hijackloader_luca-stealer

  • Size

    5.7MB

  • Sample

    250403-mnwfwsvwhx

  • MD5

    7cbfcf1b8eb95b00a52c8545858247f4

  • SHA1

    144a1e5ef70cc427c9eab0bdbe750029a8b1f311

  • SHA256

    6a285a9511a2eea7d847566cfc5b5e2b79d1b8f173d134da7f90f8b6017d2f5d

  • SHA512

    b6cb800865689d30ef598d3fc4f21fd838557448dc1b295a8cbdd1282c9b78e4ca120b4f8d27e6ca0194c6ec8c9255c565150e880834f2f9a8dc3001a24d4f68

  • SSDEEP

    98304:Qf7l27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucze:QiOuK6mn9NzgMoYkSIvUcwti7TQlvcid

Score
10/10
gurcumilleniumratcredential_accessdiscoveryexecutionratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7451084713:AAHkLbx1R49Iistq5zrYxQyAjPsaNq70hqk/sendDocument?chat_id=7848641603&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(2.83%20kb

https://api.telegram.org/bot7451084713:AAHkLbx1R49Iistq5zrYxQyAjPsaNq70hqk/sendMessage?chat_id=7848641603

https://api.telegram.org/bot7451084713:AAHkLbx1R49Iistq5zrYxQyAjPsaNq70hqk/getUpdates?offset=-

https://api.telegram.org/bot7451084713:AAHkLbx1R49Iistq5zrYxQyAjPsaNq70hqk/sendDocument?chat_id=7848641603&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      2025-04-03_7cbfcf1b8eb95b00a52c8545858247f4_black-basta_hijackloader_luca-stealer

    • Size

      5.7MB

    • MD5

      7cbfcf1b8eb95b00a52c8545858247f4

    • SHA1

      144a1e5ef70cc427c9eab0bdbe750029a8b1f311

    • SHA256

      6a285a9511a2eea7d847566cfc5b5e2b79d1b8f173d134da7f90f8b6017d2f5d

    • SHA512

      b6cb800865689d30ef598d3fc4f21fd838557448dc1b295a8cbdd1282c9b78e4ca120b4f8d27e6ca0194c6ec8c9255c565150e880834f2f9a8dc3001a24d4f68

    • SSDEEP

      98304:Qf7l27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucze:QiOuK6mn9NzgMoYkSIvUcwti7TQlvcid

    Score
    10/10
    gurcumilleniumratcredential_accessdiscoveryexecutionratspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

      ratstealermilleniumrat

    • Milleniumrat family

      milleniumrat

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks