gurcu | acd88b193946ae308f578a08a3426bf6d162f6af6f01401ba264b01e732bbddc | Triage

Sharing

General

Target

svchost.exe
Size

90KB
Sample

240915-vpdlgavckj
MD5

8f535a06fc7c41dcef821b0459066961
SHA1

279430ac0656ca0863aea9e02e47bd1988fa63c1
SHA256

acd88b193946ae308f578a08a3426bf6d162f6af6f01401ba264b01e732bbddc
SHA512

0ffe370fe384b4a7dc3b8003f7d9e7a5901bb9cf7d3524852db3dbad3b8dc0f3ec3de9a0787db72d79c2ded1166e8ea3b8772e0841e776793ecc2996b3aa729f
SSDEEP

1536:2BveucywHzpDOGugyUGlFCxdGqPKlbuQbcfhE50T6UiLlOBDf1vJJF82jik:kvcySpDImxalbuVhE9lOVf1vbh

Score

10^/10

gurcu xworm discovery evasion execution persistence ransomware rat stealer trojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.22:46682

127.0.0.1:46682

Attributes

Install_directory
%Temp%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7460424057:AAFqb7sl9YoUjtnfCXABy_ETYSrIdrvDNo8/sendMessage?chat_id=7309152263

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7460424057:AAFqb7sl9YoUjtnfCXABy_ETYSrIdrvDNo8/sendMessage?chat_id=7309152263

Targets

- Target
  
  svchost.exe
- Size
  
  90KB
- MD5
  
  8f535a06fc7c41dcef821b0459066961
- SHA1
  
  279430ac0656ca0863aea9e02e47bd1988fa63c1
- SHA256
  
  acd88b193946ae308f578a08a3426bf6d162f6af6f01401ba264b01e732bbddc
- SHA512
  
  0ffe370fe384b4a7dc3b8003f7d9e7a5901bb9cf7d3524852db3dbad3b8dc0f3ec3de9a0787db72d79c2ded1166e8ea3b8772e0841e776793ecc2996b3aa729f
- SSDEEP
  
  1536:2BveucywHzpDOGugyUGlFCxdGqPKlbuQbcfhE50T6UiLlOBDf1vJJF82jik:kvcySpDImxalbuVhE9lOVf1vbh
Score

10^/10

gurcu xworm evasion execution persistence rat stealer trojan discovery ransomware
- Detect Xworm Payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

gurcuxwormevasionexecutionpersistenceratstealertrojan

behavioral2

xwormdiscoveryexecutionransomwarerattrojan