gurcu | hxxps://cdn[.]discordapp[.]com/attachments/1250327383010181161/1258646575874441356/jet[.]zip?ex=6688cd78&is=66877bf8&hm=bc530f820e840882c1e71373e449ba80c9f2e1d3e81ac8d0d24559b5ca79afc8&

Sharing

Copy URL

Twitter E-mail

General

Target

https://cdn.discordapp.com/attachments/1250327383010181161/1258646575874441356/jet.zip?ex=6688cd78&is=66877bf8&hm=bc530f820e840882c1e71373e449ba80c9f2e1d3e81ac8d0d24559b5ca79afc8&
Sample

240705-lmmlxswcmr

Score

10^/10

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.32%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.34%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  https://cdn.discordapp.com/attachments/1250327383010181161/1258646575874441356/jet.zip?ex=6688cd78&is=66877bf8&hm=bc530f820e840882c1e71373e449ba80c9f2e1d3e81ac8d0d24559b5ca79afc8&
Score

10^/10

gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Contacts a large (3000) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1