General

  • Target

    0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe

  • Size

    2.1MB

  • Sample

    241011-j2fqtatcqb

  • MD5

    de2b7ec32d3a5c530e5a1aa6f2b27b16

  • SHA1

    83c3c02a1c5746882094939ed4f1ab61954ff8f0

  • SHA256

    0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f

  • SHA512

    e76d643dc5fad7de78172bafe3b33da231bbce76fb2c46235338e811112f32775dfd20acf770141808ee00c0e9527829933d9ec1ee04c776b774eff80168bee8

  • SSDEEP

    24576:S/BARUsXRaTX3P/drZ6p7Ut2Qcbgn5DFIOG+N3mYm8hz8UQn652/BJOD:i2HXRWXdrEDQ0gn5xfG+8H8hz8rdm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

Extracted

Family

xworm

Version

5.0

C2

65.52.240.233:5555

Mutex

hVgkZkPRZQoZH7T4

Attributes
  • Install_directory

    %AppData%

  • install_file

    sys32.exe

  • telegram

    https://api.telegram.org/bot7375017271:AAF3S5-3qI4b0tLhUfBGhd5L6j0wySL4pLI

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7375017271:AAF3S5-3qI4b0tLhUfBGhd5L6j0wySL4pLI/sendMessage?chat_id=-4568444843

Targets

    • Target

      0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe

    • Size

      2.1MB

    • MD5

      de2b7ec32d3a5c530e5a1aa6f2b27b16

    • SHA1

      83c3c02a1c5746882094939ed4f1ab61954ff8f0

    • SHA256

      0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f

    • SHA512

      e76d643dc5fad7de78172bafe3b33da231bbce76fb2c46235338e811112f32775dfd20acf770141808ee00c0e9527829933d9ec1ee04c776b774eff80168bee8

    • SSDEEP

      24576:S/BARUsXRaTX3P/drZ6p7Ut2Qcbgn5DFIOG+N3mYm8hz8UQn652/BJOD:i2HXRWXdrEDQ0gn5xfG+8H8hz8rdm

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks