General

  • Target

    ey341.exe

  • Size

    64KB

  • Sample

    240708-cdgvmsxbmj

  • MD5

    a43a55c5578f61d05ce146ead83e745a

  • SHA1

    83093f791120d3e74b0d0847aebc52d3c9f04078

  • SHA256

    de4d28dd8c9208fe86dec1e014913f3cfefdcadf73a7adb6eb062677f5f5772f

  • SHA512

    a49839e60d77003090e0c9f602a64e597648e7151d99c5096479984cee32d376c8bd425114704b9366d213d0e9494900a726dead28e0548c5b7788ad5e5cbf1d

  • SSDEEP

    1536:BmxzG1o8ep4jtWQ/GZg8S7gbgUBGK7/J6DOSsvk:Bmx61oFp4jtWQuuLgbgUgK7AOSss

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    winlogon.exe

  • pastebin_url

    https://pastebin.com/raw/kTrgfRNT

  • telegram

    https://api.telegram.org/bot6820329388:AAG0ljIyZ1Cj86n9cgzLGNBMldBe9TtqhAM/sendMessage?chat_id=1330099235

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6820329388:AAG0ljIyZ1Cj86n9cgzLGNBMldBe9TtqhAM/sendMessage?chat_id=1330099235

Targets

    • Target

      ey341.exe

    • Size

      64KB

    • MD5

      a43a55c5578f61d05ce146ead83e745a

    • SHA1

      83093f791120d3e74b0d0847aebc52d3c9f04078

    • SHA256

      de4d28dd8c9208fe86dec1e014913f3cfefdcadf73a7adb6eb062677f5f5772f

    • SHA512

      a49839e60d77003090e0c9f602a64e597648e7151d99c5096479984cee32d376c8bd425114704b9366d213d0e9494900a726dead28e0548c5b7788ad5e5cbf1d

    • SSDEEP

      1536:BmxzG1o8ep4jtWQ/GZg8S7gbgUBGK7/J6DOSsvk:Bmx61oFp4jtWQuuLgbgUgK7AOSss

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Modifies WinLogon for persistence

    • UAC bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks