Overview

overview

10

Static

static

3

built.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    built.exe

  • Size

    5.6MB

  • Sample

    250408-xklgmayxcw

  • MD5

    bbbc360f5fda5c27b7fec16367108a1e

  • SHA1

    30e718b49933b9cb4af5ee8449b5799be5217da9

  • SHA256

    b340ffcae2c21b64b90d6a5c437cb677f4b039294200b67b5f19bbe9a419154c

  • SHA512

    4ee33722b35ac11de62548f48bde68218936980a3e8480265a7d600b2baac2de7dd29bdca974935c0aad379871b45fbcaed181642c7e8fbd19a631e47a07e22a

  • SSDEEP

    98304:sbl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc4:s6OuK6mn9NzgMoYkSIvUcwti7TQlvci1

Score
10/10
gurcumilleniumratdiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.08%20kb

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendMessage?chat_id=2024893777

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/getUpdates?offset=-

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      built.exe

    • Size

      5.6MB

    • MD5

      bbbc360f5fda5c27b7fec16367108a1e

    • SHA1

      30e718b49933b9cb4af5ee8449b5799be5217da9

    • SHA256

      b340ffcae2c21b64b90d6a5c437cb677f4b039294200b67b5f19bbe9a419154c

    • SHA512

      4ee33722b35ac11de62548f48bde68218936980a3e8480265a7d600b2baac2de7dd29bdca974935c0aad379871b45fbcaed181642c7e8fbd19a631e47a07e22a

    • SSDEEP

      98304:sbl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc4:s6OuK6mn9NzgMoYkSIvUcwti7TQlvci1

    Score
    10/10
    gurcumilleniumratdiscoverypersistenceratspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

      ratstealermilleniumrat

    • Milleniumrat family

      milleniumrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1

MITRE ATT&CK Enterprise v16

Tasks