General
-
Target
XWorm-RAT-main.zip
-
Size
34.0MB
-
Sample
241005-mp4tnazfkr
-
MD5
29d7604d626be3cd14d8471f8c5a56fb
-
SHA1
4dd20965f1205529c948c3ebbccfa0bb2d10b5fa
-
SHA256
ab6c9b1b354d32cc272164d7e28dfe89e4cf6c8aa5b02c5d095c8f211cd34e82
-
SHA512
ef5a499330e31df14786eba16207a5485d3f09956288948234f20d596639ba147b31aa2d6e80008513ac2d3ff776af2d79aaba1c65f9b6c79ecaf3a99a7e316f
-
SSDEEP
786432:GiIKkjFflNqspgclWQmPfDQXzTnHB35nrXGWxUzR+JIZq:FG3cs5AL7Wh35nrXG5z4T
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendMessage?chat_id=2024893777
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take
Targets
-
-
Target
XWorm-RAT-main/XWorm RAT V2.1/Command Reciever.exe
-
Size
6.5MB
-
MD5
a21db5b6e09c3ec82f048fd7f1c4bb3a
-
SHA1
e7ffb13176d60b79d0b3f60eaea641827f30df64
-
SHA256
67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
-
SHA512
7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c
-
SSDEEP
98304:KAc94bqa9niwFYWLqDuTTTTTTdfPPpWLq+Guf2W2b6F72q0:KAcC9iwFYWuDCPPpWu+GduZ2L
Score3/10 -
-
-
Target
XWorm-RAT-main/XWorm RAT V2.1/XHVNC.exe
-
Size
1.9MB
-
MD5
4904329d091687c9deb08d9bd7282e77
-
SHA1
bcf7fcebb52cad605cb4de65bdd077e600475cc7
-
SHA256
e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd
-
SHA512
b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb
-
SSDEEP
24576:CmErCsazef+APWb6+CILRbTcJiWevOIWr9Lrdl5p0WdaMCtGjC+Ub:CPF+CWb6+CILRncZe65rb5p0ehVCr
Score7/10-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
XWorm-RAT-main/XWorm RAT V2.1/XWorm RAT V2.1.exe
-
Size
2.2MB
-
MD5
835f081566e31c989b525bccb943569c
-
SHA1
71d04e0a86ce9585e5b7a058beb0a43cf156a332
-
SHA256
ea9258e9975b8925a739066221d996aef19b4ef4f4c91524f82e39d403f25579
-
SHA512
9ec58f8c586ecf78ef8d75debc5dba58544558566423a634724bb5ab192aaf64f9ccbee9a5af48124a3366b2a7d24b4db71bb5743978201b881c08bad8f6fb0c
-
SSDEEP
49152:LdYJMfC7koydmRzCxWO8e89khof23mKijV6WvFw3BAz2tIm0U:qc3vdUEWFySfdw3rtIm
Score10/10-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1