Overview

overview

10

Static

static

3

133e7b9b8b...d2.exe

windows7-x64

1

133e7b9b8b...d2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    133e7b9b8be02554a282cc51be5a419d7c867bf0ad30939077121029843d4cd2

  • Size

    60.2MB

  • Sample

    240806-gz96ja1gln

  • MD5

    2bf7d4849bcf39691c8c49ed1ac92f76

  • SHA1

    f2c477fa8d31b6b4f69ec910d81edc230a696d8e

  • SHA256

    133e7b9b8be02554a282cc51be5a419d7c867bf0ad30939077121029843d4cd2

  • SHA512

    b757b804c82e061c37aaa6e059f0a6a72da57beeddbf16ea898be4db60afddedb75051a512a11fa69a16120cd9b6c04e1646b7181f501ce3b785b4f995a864e0

  • SSDEEP

    1572864:OgvxU1VpeCDiyPKKdBHYSA+H438beTcGleoL:Ogy1VrDmKdY38beTcloL

Score
10/10
gurcuxwormcredential_accessdefense_evasiondiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7373326479:AAFc-qF_6b4d0zpxZKNAYyps6FvSKGESa2U/sendMessage?chat_id=-4262874204

Targets

    • Target

      133e7b9b8be02554a282cc51be5a419d7c867bf0ad30939077121029843d4cd2

    • Size

      60.2MB

    • MD5

      2bf7d4849bcf39691c8c49ed1ac92f76

    • SHA1

      f2c477fa8d31b6b4f69ec910d81edc230a696d8e

    • SHA256

      133e7b9b8be02554a282cc51be5a419d7c867bf0ad30939077121029843d4cd2

    • SHA512

      b757b804c82e061c37aaa6e059f0a6a72da57beeddbf16ea898be4db60afddedb75051a512a11fa69a16120cd9b6c04e1646b7181f501ce3b785b4f995a864e0

    • SSDEEP

      1572864:OgvxU1VpeCDiyPKKdBHYSA+H438beTcGleoL:Ogy1VrDmKdY38beTcloL

    Score
    10/10
    gurcuxwormcredential_accessdefense_evasiondiscoveryratspywarestealertrojan

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks