gurcu | 3706d906a279ab466f5c526dea3e804ce378ac164fcdc49a1184190669f8f934 | Triage

Submit
Reports

Overview

overview

Static

static

erteterteret.exe

windows7-x64

erteterteret.exe

windows10-2004-x64

Sharing

General

Target

erteterteret.exe
Size

177KB
Sample

240818-w742taxfnb
MD5

858162036ca676172602e7f20396294d
SHA1

98a1816c6f93aad44e89bbd40ffc5be75528fff6
SHA256

3706d906a279ab466f5c526dea3e804ce378ac164fcdc49a1184190669f8f934
SHA512

9206535c14c4a2c61d06f5e52ffc513663c73c00d4ac2dae7f9f0f038a503e091e8a003d794674df2b23f8d23f3e7ecba956c3d24a77babc73cd83cda2b114c4
SSDEEP

3072:W9vmZA2wRabTfnm/KOYqPtBz65/M6If+3Js+3JFkKeTn6:W9gdw0bzmMExBt25

Score

10^/10

gurcu xworm execution rat stealer trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

erteterteret.exe

Resource

win7-20240708-en

xworm execution rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

erteterteret.exe

Resource

win10v2004-20240802-en

gurcu xworm execution rat stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

email-champions.gl.at.ply.gg:33429

took-chance.gl.at.ply.gg:33429

Attributes

Install_directory
%AppData%
install_file
MsBusDriver.exe
telegram
https://api.telegram.org/bot6814850214:AAGtrnkhUh3vMq-wH7W5cvNuSWLdcy7mtis/sendMessage?chat_id=7094837950

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6814850214:AAGtrnkhUh3vMq-wH7W5cvNuSWLdcy7mtis/sendMessage?chat_id=7094837950

Targets

- Target
  
  erteterteret.exe
- Size
  
  177KB
- MD5
  
  858162036ca676172602e7f20396294d
- SHA1
  
  98a1816c6f93aad44e89bbd40ffc5be75528fff6
- SHA256
  
  3706d906a279ab466f5c526dea3e804ce378ac164fcdc49a1184190669f8f934
- SHA512
  
  9206535c14c4a2c61d06f5e52ffc513663c73c00d4ac2dae7f9f0f038a503e091e8a003d794674df2b23f8d23f3e7ecba956c3d24a77babc73cd83cda2b114c4
- SSDEEP
  
  3072:W9vmZA2wRabTfnm/KOYqPtBz65/M6If+3Js+3JFkKeTn6:W9gdw0bzmMExBt25
Score

10^/10

xworm execution rat trojan gurcu stealer
- Detect Xworm Payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan

behavioral2

gurcuxwormexecutionratstealertrojan

© 2018-2024

Terms | Privacy