gurcu | f06d703e9fef41979a899049dc50232b950543e6a9c0adee9b652277e9be64ce | Triage

Submit
Reports

Overview

overview

Static

static

3

WaveInstaller_2.5.exe

windows7-x64

1

WaveInstaller_2.5.exe

windows10-2004-x64

Sharing

General

Target

WaveInstaller_2.5.exe
Size

35.9MB
Sample

241018-2t5dbasglf
MD5

ee462d9e9b760b6d5f84847046fc608a
SHA1

af4928d2d723ac17fcb7644e01e0c7a5be08bc49
SHA256

f06d703e9fef41979a899049dc50232b950543e6a9c0adee9b652277e9be64ce
SHA512

895efddeb85d6246d2cc6661baeb77ee66219ac0cecc5f826533e2c21b27b254d0ddf01d3e3895b89f83f87e91230cd777d6de159a290bdaef0acef22a85b28d
SSDEEP

393216:m1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfw:mMguj8Q4VfvlqFTrYV

Score

10^/10

gurcu xworm execution rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

WaveInstaller_2.5.exe

Resource

win7-20240708-en

windows7-x64

0 signatures

300 seconds

Behavioral task

behavioral2

Sample

WaveInstaller_2.5.exe

Resource

win10v2004-20241007-en

gurcu xworm execution rat stealer trojan

windows10-2004-x64

21 signatures

300 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

roblox.airdns.org:62604

Mutex

G7obyOuwlcJIJWSW

Attributes

Install_directory
%AppData%
install_file
Runtime Broker.exe
telegram
https://api.telegram.org/bot6871887156:AAH4uOJPQoZzoRxR8zOxOqMIkNDYQQvogdM

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6871887156:AAH4uOJPQoZzoRxR8zOxOqMIkNDYQQvogdM/sendMessage?chat_id=-4513157803

Targets

- Target
  
  WaveInstaller_2.5.exe
- Size
  
  35.9MB
- MD5
  
  ee462d9e9b760b6d5f84847046fc608a
- SHA1
  
  af4928d2d723ac17fcb7644e01e0c7a5be08bc49
- SHA256
  
  f06d703e9fef41979a899049dc50232b950543e6a9c0adee9b652277e9be64ce
- SHA512
  
  895efddeb85d6246d2cc6661baeb77ee66219ac0cecc5f826533e2c21b27b254d0ddf01d3e3895b89f83f87e91230cd777d6de159a290bdaef0acef22a85b28d
- SSDEEP
  
  393216:m1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfw:mMguj8Q4VfvlqFTrYV
Score

10^/10

gurcu xworm execution rat stealer trojan
- Detect Xworm Payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gurcuxwormexecutionratstealertrojan

© 2018-2024

Terms | Privacy