gurcu | e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264 | Triage

Submit
Reports

Overview

overview

Static

static

3

Celestial.exe

windows7-x64

Celestial.exe

windows10-2004-x64

Sharing

General

Target

Celestial.exe
Size

297KB
Sample

240809-zwrtwsygjj
MD5

9b650b738d97c0e39717fe86401a6726
SHA1

34f361ab5024ad4390a3906cb3fff5a7b5f7e656
SHA256

e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264
SHA512

a6664916c5c1bfd66e58face5c1811f95b6489c3e1d4728d4efee92233192fb145c8f0cca46582d560356b92732a8727794a7d8765d16c4df567eb5eb84b1e30
SSDEEP

6144:Ka4InuJg58BkgqPoDH49n8Bb/cQ/gW/tQtbgk3KlRWvWl/HrrACG7:Kat0EAH49n8BLgSZQKXW+l/HnACs

Score

10^/10

gurcu xworm discovery evasion persistence privilege_escalation rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Celestial.exe

Resource

win7-20240729-en

xworm discovery rat trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

Celestial.exe

Resource

win10v2004-20240802-en

gurcu xworm discovery evasion persistence privilege_escalation rat stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

engineering-thoroughly.gl.at.ply.gg:32901

20.ip.gl.ply.gg:32901

Attributes

install_file
USB.exe

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7268785583:AAFvSoXRrVhV7krjc8W8iUc9VL5ZyOqftLY/sendMessage?chat_id=https://t.me/ratnichektg_bot

Targets

- Target
  
  Celestial.exe
- Size
  
  297KB
- MD5
  
  9b650b738d97c0e39717fe86401a6726
- SHA1
  
  34f361ab5024ad4390a3906cb3fff5a7b5f7e656
- SHA256
  
  e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264
- SHA512
  
  a6664916c5c1bfd66e58face5c1811f95b6489c3e1d4728d4efee92233192fb145c8f0cca46582d560356b92732a8727794a7d8765d16c4df567eb5eb84b1e30
- SSDEEP
  
  6144:Ka4InuJg58BkgqPoDH49n8Bb/cQ/gW/tQtbgk3KlRWvWl/HrrACG7:Kat0EAH49n8BLgSZQKXW+l/HnACs
Score

10^/10

xworm discovery rat trojan gurcu evasion persistence privilege_escalation stealer
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryrattrojan

behavioral2

gurcuxwormdiscoveryevasionpersistenceprivilege_escalationratstealertrojan

© 2018-2024

Terms | Privacy