General

  • Target

    Kling_CompletedVideo.zip

  • Size

    52.9MB

  • Sample

    241002-yytwlaxgqb

  • MD5

    32361c8c9d620b7d499248cf63e09644

  • SHA1

    c0d0d9337ab9bedf8a87aee51b17f3173f115b03

  • SHA256

    ab779a17f2fb5dcff87c0f55466e46fc31adf6b2b11141703d7cd484fc6a2343

  • SHA512

    8e3c19e438662423422a359cf2591ef9f2d5c42097f3188db2bec2feb02d57de24ad3dc73d3e1e998e50cdb2693a26e94cf4c0174a9cc8472860a4daec70731d

  • SSDEEP

    786432:tQaraHj6rxPWK/Ax5ZgRB1yUDqiFjSfuBgMYo0kyowSuXKWpb7SM58vFKzqW4fQN:tQamD6rxDggRI0BgVo0NtKW5V58tWmW

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7276041743:AAHcuQBIgMQxThnw-SMW4PSn0GYAkSjroxA/sendMessage?chat_id=-1002395802128

Targets

    • Target

      Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe

    • Size

      53.5MB

    • MD5

      3d48cdbd6d323a25303ec7c6e6c31176

    • SHA1

      044a8d324faf96eaaca3a8323bcb1eb75ecca1d8

    • SHA256

      96ff951df16221de54c394c38869aa77e6e7424669521ce5aaabee379b6f96f1

    • SHA512

      b64d6714530d342c7f615261062f8e60a6d472651878de2748edef862f1811d32b919a0252013e1cd8cea45b68fa9aa6f5f6ccf39298a80efa8fdf0829522f61

    • SSDEEP

      786432:rnkl+yqXRVMeIrKNdd8T7lEwR0A9z2x4HdIooSaEOUcaLAC1tVCCxQTl8vUOwZgN:I+LXRVCe8TUqHdXoSB5ACt5xQ5wk

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks