General

  • Target

    telegram malware.bat.bin

  • Size

    47KB

  • Sample

    240925-qsdnes1dna

  • MD5

    2d4b3f85f3619e096e14096a0849fbf9

  • SHA1

    c9aa9a3f00830625ff3f806d0b0d6a22ac3a7d93

  • SHA256

    49a7db4ab12330edff1ef80c5e0c9c93d69c4fe36e4ae25eb92d311be55baf66

  • SHA512

    42f220a2dee917c3c14164a4fe2399e196218fcea7bc5d56afee6c08ac0bf88b765a9e5bda1cff5f17d59d85800575ceba26819116ca33829a27abed2b53c4aa

  • SSDEEP

    768:0yWnyN9IbUZIYiztjyHg6QihA1WmmaMj17Hln1nVrV:0E9XqYwtWAb1DmdxLln5

Malware Config

Extracted

Family

xworm

Version

5.0

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7533145045:AAGnW8Bkr0_G1f_ZxiKTve5hlRZjphTc0aM/sendMessage?chat_id=-4512836800

Targets

    • Target

      telegram malware.bat.bin

    • Size

      47KB

    • MD5

      2d4b3f85f3619e096e14096a0849fbf9

    • SHA1

      c9aa9a3f00830625ff3f806d0b0d6a22ac3a7d93

    • SHA256

      49a7db4ab12330edff1ef80c5e0c9c93d69c4fe36e4ae25eb92d311be55baf66

    • SHA512

      42f220a2dee917c3c14164a4fe2399e196218fcea7bc5d56afee6c08ac0bf88b765a9e5bda1cff5f17d59d85800575ceba26819116ca33829a27abed2b53c4aa

    • SSDEEP

      768:0yWnyN9IbUZIYiztjyHg6QihA1WmmaMj17Hln1nVrV:0E9XqYwtWAb1DmdxLln5

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

MITRE ATT&CK Enterprise v15

Tasks