Extracted

Extracted

Extracted

• • Target

    file.ps1

  • Size

    47B

  • MD5

    ba644fc1ec08acd03635e632eca767ce

  • SHA1

    c43ff24b42307a56efe51fdcc90ba3f3688a83f5

  • SHA256

    8fa3b77007a27683e1e3c2e59d9c46aff40df0a9f486b5dc48686ec5e4dc29a9

  • SHA512

    5a0a21c01f379c82ace0cae841e83f250c0989055c4f97c1fe61374875ec618607f9184a86d77a6f1414adb55a4e560cf462e6087e49c9a72ab7ec05243f6386

  Score

  10^/10

  executiongurcuxwormevasionpersistenceprivilege_escalationratspywarestealertrojanupx

  • Detect Xworm Payload

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • UAC bypass

    evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2