Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://click.pstmrk....

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://click.pstmrk.it/3s/click.pstmrk.it%2F3%2F38.62.245.50%252Fcontract_file.html%2FgCbE%2FOBG3AQ%2FAQ%2F52ae3b51-1704-40c9-94ec-de54b84f9c9c%2F1%2F3kREGiBepU/gCbE/ORG3AQ/AQ/561d52bd-bfd6-46f3-a583-e2bbfc1cd77a/1/Hsj5ltVh0u

  • Sample

    240806-kjhywsydlf

Score
10/10
gurcuxwormdiscoveryexecutionphishingratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

20.ip.gl.ply.gg:61413

21.ip.gl.ply.gg:30704
Mutex

IJ1arWifhZJOz3Zf

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot6584279699:AAEqagLrmPUC21iKUr3le2L8nbZJK6ktSFM/sendMessage?chat_id=5479981438

aes.plain
aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6584279699:AAEqagLrmPUC21iKUr3le2L8nbZJK6ktSFM/sendMessage?chat_id=5479981438

Targets

    • Target

      http://click.pstmrk.it/3s/click.pstmrk.it%2F3%2F38.62.245.50%252Fcontract_file.html%2FgCbE%2FOBG3AQ%2FAQ%2F52ae3b51-1704-40c9-94ec-de54b84f9c9c%2F1%2F3kREGiBepU/gCbE/ORG3AQ/AQ/561d52bd-bfd6-46f3-a583-e2bbfc1cd77a/1/Hsj5ltVh0u

    Score
    10/10
    gurcuxwormdiscoveryexecutionphishingratstealertrojan

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks