gurcu | 409b00bb07631e7425f5818b5badbee0e30491a7a89849ccefc6852d78af434e | Triage

Submit
Reports

Overview

overview

Static

static

3

Kling_Comp...ng.exe

windows7-x64

1

Kling_Comp...ng.exe

windows10-2004-x64

Sharing

General

Target

Kling_CompletedPhoto.png.exe
Size

65.8MB
Sample

241001-1efwqs1fql
MD5

4e57a4ffcd80f3323997b7f4d287c43b
SHA1

a5219f47566c3859d4163de2b2248779e4b348c3
SHA256

409b00bb07631e7425f5818b5badbee0e30491a7a89849ccefc6852d78af434e
SHA512

db7ecfc778bcd02b7ab2ad0845120c1303c97831151c83316e1d3b731f8ae41e73a18791d5774d60b7f2062ee0a11c178124cf127fb7d54c804dce97e0233279
SSDEEP

1572864:1pwUgUIgIeCSI9JF+8e2eSLYQA//1YCZG0ISKATMQjlh7k:1hC33VR0Qk/yOGjCMwDk

Score

10^/10

gurcu lumma xworm defense_evasion discovery rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Kling_CompletedPhoto.png.exe

Resource

win7-20240903-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

Kling_CompletedPhoto.png.exe

Resource

win10v2004-20240802-en

gurcu lumma xworm defense_evasion discovery rat stealer trojan

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

lumma

Extracted

Family

xworm

Version

5.0

C2

lun.servepics.com:25902

Mutex

gUAMuTh5gjsDB7Ov

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0

aes.plain

Extracted

Family

lumma

C2

https://markyclaktwi.store/api

https://gravvitywio.store/api

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0/sendMessage?chat_id=-1002375745755

Targets

- Target
  
  Kling_CompletedPhoto.png.exe
- Size
  
  65.8MB
- MD5
  
  4e57a4ffcd80f3323997b7f4d287c43b
- SHA1
  
  a5219f47566c3859d4163de2b2248779e4b348c3
- SHA256
  
  409b00bb07631e7425f5818b5badbee0e30491a7a89849ccefc6852d78af434e
- SHA512
  
  db7ecfc778bcd02b7ab2ad0845120c1303c97831151c83316e1d3b731f8ae41e73a18791d5774d60b7f2062ee0a11c178124cf127fb7d54c804dce97e0233279
- SSDEEP
  
  1572864:1pwUgUIgIeCSI9JF+8e2eSLYQA//1YCZG0ISKATMQjlh7k:1hC33VR0Qk/yOGjCMwDk
Score

10^/10

gurcu lumma xworm defense_evasion discovery rat stealer trojan
- Detect Xworm Payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Network Service Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gurculummaxwormdefense_evasiondiscoveryratstealertrojan

© 2018-2024

Terms | Privacy