Extracted

Extracted

• • Target

    агу агу.exe

  • Size

    66KB

  • MD5

    5c434aad5f00636f72eacd2629bd94d3

  • SHA1

    97d58aa930ca9033c03225f227643c0d3f363565

  • SHA256

    6fc07b159dc07440be552269b3744451ffb4de70d31cbb42ac26e153c02c57c2

  • SHA512

    aa193cc01233441f47e57b447b53fc337da9d93e4e4b012d2f298e0899e474e06ef678098cad6d31d47d4c208702d6a4953f34eb228fd71569d0e7f1959f87ac

  • SSDEEP

    1536:pumiy1u+SnmhVvUdp6S7rbxIsaM26/OkDBUs0:Dw+S6Od4YrbxI8OsBUx

  Score

  10^/10

  xwormexecutionpersistencerattrojangurcustealer

  • Detect Xworm Payload

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2behavioral3behavioral4