Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/i...

windows10-2004-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/inheritedeu/XWorm-RAT/tree/main/XWorm%20RAT%20V2.1

Score
10/10
gurcutoxiceyeratstealertrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot5536756167:AAFMcQrFbMZMBynbrtZUudaOT9ndCJXIqT4/sendMessage?chat_id=2024893777

Extracted

Family

gurcu

C2

https://api.telegram.org/bot5536756167:AAFMcQrFbMZMBynbrtZUudaOT9ndCJXIqT4/sendMessage?chat_id=2024893777

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/inheritedeu/XWorm-RAT/tree/main/XWorm%20RAT%20V2.1"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/inheritedeu/XWorm-RAT/tree/main/XWorm%20RAT%20V2.1
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.0.1549976418\537069928" -parentBuildID 20230214051806 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7af1e3b-07a6-4e7e-b1b6-056f77669631} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 1900 1e61dd0da58 gpu
        3⤵
          PID:1424
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.1.960705279\1086025577" -parentBuildID 20230214051806 -prefsHandle 2464 -prefMapHandle 2452 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1611eae4-2d37-42ab-8a48-cee984dc41de} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 2492 1e609a89a58 socket
          3⤵
            PID:2084
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.2.712173569\1217911810" -childID 1 -isForBrowser -prefsHandle 1680 -prefMapHandle 2908 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {519f61f7-9250-45a1-bf6e-bf15b4b67deb} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 3028 1e620e59e58 tab
            3⤵
              PID:3164
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.3.1970717528\444388524" -childID 2 -isForBrowser -prefsHandle 900 -prefMapHandle 3552 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f84bda22-bb0f-4193-a17b-bf1a0fb605df} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 1212 1e6224e6b58 tab
              3⤵
                PID:1252
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.4.1592278344\311513232" -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5356 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3547e2f7-5e4e-4d3b-a431-c53b5082204b} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 5332 1e624b8a958 tab
                3⤵
                  PID:4340
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.5.1030890161\1158678341" -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d742ca46-ca98-4b4d-b695-85ba47c4b2b9} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 4384 1e624c51b58 tab
                  3⤵
                    PID:4652
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.6.724921559\5082130" -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5604 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10d25354-d2c7-4650-a7ff-f50bb2036d05} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 5180 1e624c54858 tab
                    3⤵
                      PID:3920
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:2988
                  • C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe
                    "C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe"
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3016
                    • C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
                      "C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"
                      2⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1604
                      • C:\Windows\System32\schtasks.exe
                        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
                        3⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:5340
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp134.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp134.tmp.bat
                        3⤵
                          PID:5396
                          • C:\Windows\system32\tasklist.exe
                            Tasklist /fi "PID eq 1604"
                            4⤵
                            • Enumerates processes with tasklist
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5452
                          • C:\Windows\system32\find.exe
                            find ":"
                            4⤵
                              PID:5460
                            • C:\Windows\system32\timeout.exe
                              Timeout /T 1 /Nobreak
                              4⤵
                              • Delays execution with timeout.exe
                              PID:5500
                            • C:\Windows\system32\tasklist.exe
                              Tasklist /fi "PID eq 1604"
                              4⤵
                              • Enumerates processes with tasklist
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5516
                            • C:\Windows\system32\find.exe
                              find ":"
                              4⤵
                                PID:5524
                              • C:\Windows\system32\timeout.exe
                                Timeout /T 1 /Nobreak
                                4⤵
                                • Delays execution with timeout.exe
                                PID:5560
                              • C:\Users\Static\Update.exe
                                "Update.exe"
                                4⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                PID:5576
                                • C:\Windows\System32\schtasks.exe
                                  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
                                  5⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:5720
                          • C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe
                            "C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe"
                            2⤵
                            • Executes dropped EXE
                            • Checks processor information in registry
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:1100
                        • C:\Windows\system32\wbem\WmiApSrv.exe
                          C:\Windows\system32\wbem\WmiApSrv.exe
                          1⤵
                            PID:5908

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            28KB

                            MD5

                            7a3af1c03079c16e5b08068981f45569

                            SHA1

                            ede54442e93ec73a8b2c6e8cf6ef6626060ca9eb

                            SHA256

                            4c61901642f2ad5e072700cbf615feb85f68b50e86983b7e235625f889c2c7cf

                            SHA512

                            c7e2552f05ad140a15ecf3b0d1830cd49405d1ad61112f870aa97936457f56c204dcbc0f2514b4e1bc1d79316ceaf52b28ea0450cd5db0c1ba8573bdcb6afdef

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\tmp134.tmp.bat
                            Filesize

                            195B

                            MD5

                            11f95b77bf0783fc8c0d34fb631e2931

                            SHA1

                            b0882fda999dea35f9d6f081144640fd13f0ccbb

                            SHA256

                            22bf4529a81020d00d5f1cf31972396daace946f9a28b2817828b1d044c7f1fd

                            SHA512

                            b67326d19cb0652d1eb98ef10c2fb6e9a7165276df7fe0dc2a63979835a1f0aba711a3d07b14d84be326bf32b9baef53fd35260fc6356cafc4101457ecd85b92

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
                            Filesize

                            127KB

                            MD5

                            f6f686df785d0abdc66d1f90fa508c4b

                            SHA1

                            75f348132001df30cbad9c7cae2e2072fcaca38e

                            SHA256

                            61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f

                            SHA512

                            7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.js
                            Filesize

                            7KB

                            MD5

                            b9d0396bffe467897359f90922a054f3

                            SHA1

                            31df99e360ae982e07b509b157ac017219137dd8

                            SHA256

                            c1983f3cf0f0f0bc8c275df6925c70fe4006fcb28e991a58cc9542a3377afa6a

                            SHA512

                            000ec50ca64dbd070c51e7b1fdb41cd976ae62fed69001685e997d15741304003aaf9d46a94c60e36ebb422d73dfe5b64eac2e18c21090208c46972c11c54597

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            3KB

                            MD5

                            712716d788f386879f1472dc1631d9a6

                            SHA1

                            a1a5f8c6d73f091665f030d111fcda2fdb244d55

                            SHA256

                            6567e9450441db791598317fee3aa2b855c10552c7e843923f2310e4d733c72e

                            SHA512

                            36009c69151c7360858a791547f8f468a48a461c8bc185c56ce5a9bfdea6e0c4355a840f9336fb0c99a2f32ccc037664385621e18ed6e2006f7106d5d7d64ce3

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            3KB

                            MD5

                            1c90fc18b3211de17d48467a44e59d2f

                            SHA1

                            51352e3be21881360bb235c9a79cd8bf6b90fb70

                            SHA256

                            845088bd2967470164ea645dcd3caa57733fb858f81b9213c1f4e322446fedfe

                            SHA512

                            950ba2dbb30226f57fa61d8b5b11993a73a5a58d9757e5eaa5c25ea3cbb3b83df590fcea9a8f51a709785eb538dba77357e1c687db563fa8ffc94c137b115b2a

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                            Filesize

                            192KB

                            MD5

                            47291f5bffb17c1658b2811eee4df7be

                            SHA1

                            e030537635d7c86eb9fe73d9c7fc05f5c4165545

                            SHA256

                            1385c163850263d9c6806b1defd58aa25e00b04a0faf83446c25ec92ac761f31

                            SHA512

                            7582a960472b794ae598be82cf65857cb51b389ac657c20e394d041db7a46a1eae761a2530090f67ec0e4d90edf84a7139593bc846731130b14b44a13b8d4c2b

                            Download Submit

                          • C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe
                            Filesize

                            6.5MB

                            MD5

                            a21db5b6e09c3ec82f048fd7f1c4bb3a

                            SHA1

                            e7ffb13176d60b79d0b3f60eaea641827f30df64

                            SHA256

                            67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5

                            SHA512

                            7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c

                            Download Submit

                          • C:\Users\Admin\Downloads\XWorm-RAT-main.xG2j4s6l.zip.part
                            Filesize

                            33.7MB

                            MD5

                            3c583f36fdd166613ec8b5f81597e5e9

                            SHA1

                            f3e9cbfb5749212f2d54f36b391b7d03bdd303a9

                            SHA256

                            8f71cc2fc5fd1b3e16377f0ca36067467280f6a63f7924f3fad273717c1f505e

                            SHA512

                            072931cc7b3812d7681c879169b0ba0a1981e0c23d3549e223e29331a24c4ec5249964d2c636ec07b0ba2c3e3c81c236e0ccaf3e40d373dc2a6adc235fbcfa6b

                            Download Submit

                          • memory/1100-330-0x0000000006340000-0x00000000068E4000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/1100-334-0x0000000006010000-0x0000000006066000-memory.dmp

                            Filesize

                            344KB

                            Download

                          • memory/1100-335-0x0000000009A00000-0x0000000009A66000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/1100-333-0x0000000005D90000-0x0000000005D9A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/1100-331-0x0000000005E30000-0x0000000005EC2000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/1100-328-0x0000000000CA0000-0x0000000001332000-memory.dmp

                            Filesize

                            6.6MB

                            Download

                          • memory/1100-329-0x0000000005CF0000-0x0000000005D8C000-memory.dmp

                            Filesize

                            624KB

                            Download

                          • memory/1604-341-0x00007FFE78210000-0x00007FFE78CD1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1604-327-0x00007FFE78210000-0x00007FFE78CD1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1604-316-0x000001ED677A0000-0x000001ED677C6000-memory.dmp

                            Filesize

                            152KB

                            Download

                          • memory/3016-300-0x00007FFE78213000-0x00007FFE78215000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3016-332-0x000001DFA6FB0000-0x000001DFA6FBA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/3016-324-0x000001DFA6DE0000-0x000001DFA6E00000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/3016-336-0x00007FFE78210000-0x00007FFE78CD1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3016-321-0x00007FFE78210000-0x00007FFE78CD1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3016-301-0x000001DF8C7E0000-0x000001DF8C8CE000-memory.dmp

                            Filesize

                            952KB

                            Download