gurcu | d2373e86e03b935c7c24993f2a567a7e9f3b477c460a4c061da4000de493fbd8

General

Target

WaveInstaller.exe
Size

76KB
Sample

240713-1p5b3sydjj
MD5

1b95a7fc10c0b54c7d807d1f7ee2b778
SHA1

75d3a2f1d104b8f4950f59da9e829d61943e3e44
SHA256

d2373e86e03b935c7c24993f2a567a7e9f3b477c460a4c061da4000de493fbd8
SHA512

b225f9052457b5de3728f1f2bf5cf17905de780823ccaa0139e0f559212a05bb177297d950783084cae87f4da217c94d8ad66124f0a3c6946bd5662a43395d4e
SSDEEP

1536:kpn26tWBE8jMMx4yBmEbTb1XyM6lk120w6hO2GRKVJjiS:kpn2FMniTb1IH0w6hOFRKnr

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

email-champions.gl.at.ply.gg:50458

Attributes

Install_directory
%Temp%
install_file
svchost.exe
telegram
https://api.telegram.org/bot6814850214:AAGtrnkhUh3vMq-wH7W5cvNuSWLdcy7mtis/sendMessage?chat_id=7094837950

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6814850214:AAGtrnkhUh3vMq-wH7W5cvNuSWLdcy7mtis/sendMessage?chat_id=7094837950

Targets

- Target
  
  WaveInstaller.exe
- Size
  
  76KB
- MD5
  
  1b95a7fc10c0b54c7d807d1f7ee2b778
- SHA1
  
  75d3a2f1d104b8f4950f59da9e829d61943e3e44
- SHA256
  
  d2373e86e03b935c7c24993f2a567a7e9f3b477c460a4c061da4000de493fbd8
- SHA512
  
  b225f9052457b5de3728f1f2bf5cf17905de780823ccaa0139e0f559212a05bb177297d950783084cae87f4da217c94d8ad66124f0a3c6946bd5662a43395d4e
- SSDEEP
  
  1536:kpn26tWBE8jMMx4yBmEbTb1XyM6lk120w6hO2GRKVJjiS:kpn2FMniTb1IH0w6hOFRKnr
Score

10^/10

gurcu xworm discovery evasion execution persistence privilege_escalation ransomware rat stealer trojan upx
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1