General

  • Target

    56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260

  • Size

    7.0MB

  • Sample

    240924-z2cxxsyepd

  • MD5

    f52edee9472d973f7aedaa58baed96e6

  • SHA1

    dee4734806f0a47e81627a66b2c75e5ec37b6b1a

  • SHA256

    56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260

  • SHA512

    1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b

  • SSDEEP

    98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Targets

    • Target

      56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260

    • Size

      7.0MB

    • MD5

      f52edee9472d973f7aedaa58baed96e6

    • SHA1

      dee4734806f0a47e81627a66b2c75e5ec37b6b1a

    • SHA256

      56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260

    • SHA512

      1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b

    • SSDEEP

      98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks