gurcu | 31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad | Triage

Sharing

General

Target

31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe
Size

2.1MB
Sample

241009-brkb9ayakn
MD5

8c04e5d5adaf15173fecd9384ceda14d
SHA1

9cbcf5134cfecb1a1f0c7e615a2a973ed8381e54
SHA256

31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad
SHA512

7616ce8a0728abedb084c516b47fe45b7af264458d9fa4edccebbd2f8e77fbc17a703f06e8e23b9c618a45176a6073f6a5b0727619adf30f620eac062d58c0fe
SSDEEP

24576:X40Bg3buy6rMn3I5bF2Wlo7XGc6okgFZ5A1WqJlLsYpd+wyQn652pBJTu:DCruyinbFOR6PgFZmMqJ19pd+wpXa

Score

10^/10

gurcu xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

exe.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

exe.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

Extracted

Family

xworm

Version

5.0

C2

172.214.220.82:5555

Mutex

XjG17XjAty4BSeG3

Attributes

Install_directory
%LocalAppData%
install_file
sys32.exe
telegram
https://api.telegram.org/bot7375017271:AAEAqNiylxrFjGgvlGU0if1BBlKDJQLHYkw

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7375017271:AAEAqNiylxrFjGgvlGU0if1BBlKDJQLHYkw/sendMessage?chat_id=-4592360412

Targets

- Target
  
  31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe
- Size
  
  2.1MB
- MD5
  
  8c04e5d5adaf15173fecd9384ceda14d
- SHA1
  
  9cbcf5134cfecb1a1f0c7e615a2a973ed8381e54
- SHA256
  
  31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad
- SHA512
  
  7616ce8a0728abedb084c516b47fe45b7af264458d9fa4edccebbd2f8e77fbc17a703f06e8e23b9c618a45176a6073f6a5b0727619adf30f620eac062d58c0fe
- SSDEEP
  
  24576:X40Bg3buy6rMn3I5bF2Wlo7XGc6okgFZ5A1WqJlLsYpd+wyQn652pBJTu:DCruyinbFOR6PgFZmMqJ19pd+wpXa
Score

10^/10

gurcu xworm discovery execution persistence rat stealer trojan
- Detect Xworm Payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gurcuxwormdiscoveryexecutionpersistenceratstealertrojan