Extracted

Extracted

• • Target

    fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe

  • Size

    19.2MB

  • MD5

    aa4bb4c57074e543076b145b7399cd64

  • SHA1

    5e36e64cc686fa553b43d1c274d1a15e18b50501

  • SHA256

    fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7

  • SHA512

    ff38fc85d51fda9d32668949d2f67074be1e52cb6d63978155347173452199687935b9e96d3a060c7ab74461c5f4228b2c4cf8a0486ca5bbd9ea962a1c16c5eb

  • SSDEEP

    393216:0W7LVQgX47mXZGbWVQjFLICQA122lrL8jiQIthY4eqfIgUJzM8/bX9Wwy:NBfXZGbBjFLICB1hUji1tWbZT9W/

  Score

  10^/10

  executiongurcuxwormdiscoveryevasionpersistenceratstealertrojan

  • Detect Xworm Payload

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • Modifies WinLogon for persistence

    persistence

  • UAC bypass

    evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1behavioral2