gurcu | 09ebaac81c2816aae61095e019924152b15c1504b0f2f6b512c4230b72268bf8

General

Target

Guestlist.zip
Size

171KB
Sample

240703-yr1essxcnd
MD5

7568a078b734da1f410235adf32cdb69
SHA1

3a462d95d7c217d54799b7ece6528991c3625d04
SHA256

09ebaac81c2816aae61095e019924152b15c1504b0f2f6b512c4230b72268bf8
SHA512

7cd8db1d53a6e6b572c9f68db59650d9e46553ce11fead9d7e0c150b7412220c0e7c5160cc8f8bc6782bac36a142f153ecbf97ec178e343e21532920d70d132d
SSDEEP

3072:m1KFUvq5NYyn87J2lXX+QQ7CGxihjrn5boZnHz90hQvF8URBHO8Ki8up:tUyHJn8l2leuKofnMHlJRBHO8K5up

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

142.202.242.177:7000

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7086125226:AAHBCPyJPzMk3klDDrNR7WI_pR8VgcrX-rg/sendMessage?chat_id=5009918391

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7086125226:AAHBCPyJPzMk3klDDrNR7WI_pR8VgcrX-rg/sendMessage?chat_id=5009918391

Targets

- Target
  
  wild2.bat
- Size
  
  101KB
- MD5
  
  1b0db010a5478b1bd34e62d563490b57
- SHA1
  
  8d138974f30d83f9f1dfd7ffb89c830b290dc647
- SHA256
  
  6e10dd12715347b79ddc3aaaa30be9b00548cf54f7b515e66e78f995b6412162
- SHA512
  
  a081a9ae668b2f9389d8b5648a9bc218cb6e8002d76955307104324b66fc22cfda501a8c6e69b3f87fe582fee8ab6feb8bac365412852708c91cd6673621db8f
- SSDEEP
  
  3072:8fmmAtb3zUdrhco3sgrDIt+YaNQsEerlw5i:Cmm6DUdqo8grMt+YKPt
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral1 behavioral2
- Target
  
  wild2.vbs
- Size
  
  136KB
- MD5
  
  2fc8fa386eac2b756ca56d6c5ea5972a
- SHA1
  
  5e8701a6f9ff44f141f14e43a6b612b82b23aeb1
- SHA256
  
  e28bdb40c41bbadef5a3413c02773f291db42e0523c7aa6d4f93a03b3aa7959a
- SHA512
  
  531876ffe3a10729b60dbb45161bb6e73e14be00d174aedb0afcc4689c57e9f8b5cc147eefb25f002f62540c0748c0fb183bea3d90f525a7f688bf8ef3c9894a
- SSDEEP
  
  3072:UUtmc9S9K7G4yC0oab3a1adGNRLfE28rHRq8QDEQ0SkhbPxFIWW:UUwT4ygabaEGNRHkHDQDD0NRW
Score

10^/10

gurcu stormkitty xenarmor xworm collection execution password rat recovery spyware stealer trojan upx
- Detect Xworm Payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- XenArmor Suite
  XenArmor is as suite of password recovery tools for various application.
  recovery password xenarmor
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral3 behavioral4