General

  • Target

    Output.exe

  • Size

    11.6MB

  • Sample

    240930-nl7xksxckh

  • MD5

    d7c99b9559332b8652b2cf85c34f1dea

  • SHA1

    cbd247890c862d964683f8dc81cc3d7747bdfb73

  • SHA256

    53d398e45aaad1c1cbbb4be5abd2a0d2c039b746792fb63bd8b9b28aebf359ca

  • SHA512

    184945ec88ebe3e3ec5e3a71b9870b3459a0bb37491a665f356d3cb7286e0e79bed44a19e21cceba0fe0ec07a1d89e2238c70b06bd9c5dc5956b7715e8a8911f

  • SSDEEP

    196608:tO3ytpGu2gWR5fMEseOI8LG8Ac+g6sFZstcVw8q1Q6HmVF:tO3j5gWR5fBSI58t+gbZst9

Malware Config

Extracted

Family

xworm

C2

reason-warnings.gl.at.ply.gg:20382

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4594364141&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendMessage?chat_id=-4594364141

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/getUpdates?offset=-

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4590251468&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20138.199.29.44%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4594364141&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      Output.exe

    • Size

      11.6MB

    • MD5

      d7c99b9559332b8652b2cf85c34f1dea

    • SHA1

      cbd247890c862d964683f8dc81cc3d7747bdfb73

    • SHA256

      53d398e45aaad1c1cbbb4be5abd2a0d2c039b746792fb63bd8b9b28aebf359ca

    • SHA512

      184945ec88ebe3e3ec5e3a71b9870b3459a0bb37491a665f356d3cb7286e0e79bed44a19e21cceba0fe0ec07a1d89e2238c70b06bd9c5dc5956b7715e8a8911f

    • SSDEEP

      196608:tO3ytpGu2gWR5fMEseOI8LG8Ac+g6sFZstcVw8q1Q6HmVF:tO3j5gWR5fBSI58t+gbZst9

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks