gurcu | hxxps://github[.]com/DannyTheSloth/VanillaRAT

General

Target

https://github.com/DannyTheSloth/VanillaRAT
Sample

240928-l7lv5azern

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

3.1

C2

full-wet.at.ply.gg:38848

Attributes

Install_directory
%AppData%
install_file
chrome.exe

Extracted

Family

lumma

C2

https://pillowbrocccolipe.shop/api

https://communicationgenerwo.shop/api

https://diskretainvigorousiw.shop/api

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://cleartotalfisherwo.shop/api

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.8%20kb

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendMessage?chat_id=2024893777

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/getUpdates?offset=-

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  https://github.com/DannyTheSloth/VanillaRAT
Score

10^/10

gurcu lumma vanillarat xworm agilenet discovery persistence rat spyware stealer trojan
- Detect Xworm Payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- VanillaRat
  VanillaRat is an advanced remote administration tool coded in C#.
  rat vanillarat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Vanilla Rat payload
  rat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
behavioral1