Extracted

• • Target

    Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe

  • Size

    53.5MB

  • MD5

    3d48cdbd6d323a25303ec7c6e6c31176

  • SHA1

    044a8d324faf96eaaca3a8323bcb1eb75ecca1d8

  • SHA256

    96ff951df16221de54c394c38869aa77e6e7424669521ce5aaabee379b6f96f1

  • SHA512

    b64d6714530d342c7f615261062f8e60a6d472651878de2748edef862f1811d32b919a0252013e1cd8cea45b68fa9aa6f5f6ccf39298a80efa8fdf0829522f61

  • SSDEEP

    786432:rnkl+yqXRVMeIrKNdd8T7lEwR0A9z2x4HdIooSaEOUcaLAC1tVCCxQTl8vUOwZgN:I+LXRVCe8TUqHdXoSB5ACt5xQ5wk

  Score

  10^/10

  gurcuxwormdefense_evasiondiscoveryexecutionratspywarestealertrojan

  • Detect Xworm Payload

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Service Discovery

    Attempt to gather information on host's network.

    discovery

  • Enumerates processes with tasklist

    discovery

  • Hide Artifacts: Hidden Files and Directories

    defense_evasion
  behavioral1behavioral2