Overview

overview

10

Static

static

3

Luxury Cry...0.0.7z

windows7-x64

1

Luxury Cry...0.0.7z

windows10-2004-x64

1

Installati...er.exe

windows7-x64

3

Installati...er.exe

windows10-2004-x64

3

Installati...er.zip

windows7-x64

1

Installati...er.zip

windows10-2004-x64

1

DefenderRemover.exe

windows7-x64

3

DefenderRemover.exe

windows10-2004-x64

3

Installati...DME.md

windows7-x64

3

Installati...DME.md

windows10-2004-x64

3

Luxury Cry...ey.dll

windows7-x64

1

Luxury Cry...ey.dll

windows10-2004-x64

1

Luxury Cry...er.dll

windows7-x64

1

Luxury Cry...er.dll

windows10-2004-x64

1

Luxury Cry...I2.dll

windows7-x64

1

Luxury Cry...I2.dll

windows10-2004-x64

1

Luxury Cry...ge.exe

windows7-x64

1

Luxury Cry...ge.exe

windows10-2004-x64

1

Luxury Cry...��.exe

windows7-x64

10

Luxury Cry...��.exe

windows10-2004-x64

10

安装指�...er.exe

windows7-x64

3

安装指�...er.exe

windows10-2004-x64

3

安装指�...er.zip

windows7-x64

1

安装指�...er.zip

windows10-2004-x64

1

DefenderRemover.exe

windows7-x64

3

DefenderRemover.exe

windows10-2004-x64

3

安装指�...DME.md

windows7-x64

3

安装指�...DME.md

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Luxury Crypter 18.0.0.7z

  • Size

    3.8MB

  • Sample

    241023-s4qhgazdnr

  • MD5

    f9ef786783f16792eb9965b19705e930

  • SHA1

    997a903e880601dde86945f89a1be19045655c45

  • SHA256

    1252c59f28ed87f9236af0b045978c17351faf34649e639b1dc8fdfdd5ccc0ae

  • SHA512

    f981c79da3aa0030228fd3feaf8b0314649125aa7cd02cf0227b7e32abeb6a5f370e4cd2900ed8cd8738ec6641e3f7d9e2050cdd5d7135947bd65b4a2d3e932e

  • SSDEEP

    98304:qOW562vZKkvKpfM2nStBK4LX21NcQsRliOk:q16xkvKM2nSft21VsRly

Score
10/10
gurcuxwormdiscoveryexecutionratstealertrojan

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Targets

    • Target

      Luxury Crypter 18.0.0.7z

    • Size

      3.8MB

    • MD5

      f9ef786783f16792eb9965b19705e930

    • SHA1

      997a903e880601dde86945f89a1be19045655c45

    • SHA256

      1252c59f28ed87f9236af0b045978c17351faf34649e639b1dc8fdfdd5ccc0ae

    • SHA512

      f981c79da3aa0030228fd3feaf8b0314649125aa7cd02cf0227b7e32abeb6a5f370e4cd2900ed8cd8738ec6641e3f7d9e2050cdd5d7135947bd65b4a2d3e932e

    • SSDEEP

      98304:qOW562vZKkvKpfM2nStBK4LX21NcQsRliOk:q16xkvKM2nSft21VsRly

    Score
    1/10
    behavioral1behavioral2

    • Target

      Installation Guide/DefenderRemover.exe

    • Size

      823KB

    • MD5

      879e3d30cc1392370ab0eec1601aa1b6

    • SHA1

      c85e5eb120d860b0a67e3f091d5e7c29a7643bfd

    • SHA256

      704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca

    • SHA512

      71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44

    • SSDEEP

      12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Installation Guide/DefenderRemover.zip

    • Size

      505KB

    • MD5

      b021f7c45fe950f48b4768d3e1182a2d

    • SHA1

      5a8adbbc093e85bb1128629ea36a168e7e460da1

    • SHA256

      af20364d2e09cde933412c059f5295d296dd189507294ebe786a69d6eb3cafe6

    • SHA512

      01f04b4671259a897ab3b446265e882f3780b3177410f16bf3a404231205bb5f9f1883efabebafd57f4d974908a4faafa5bde7fb10eb8fdcd3008fde748b39a4

    • SSDEEP

      12288:n7SDe/kYAhSoTHD9Xa9lovLoS/x790K9KoybuHq6f6diYgyd:n7SqAhS4KQoS/PVQ4Hedixyd

    Score
    1/10
    behavioral5behavioral6

    • Target

      DefenderRemover.exe

    • Size

      823KB

    • MD5

      879e3d30cc1392370ab0eec1601aa1b6

    • SHA1

      c85e5eb120d860b0a67e3f091d5e7c29a7643bfd

    • SHA256

      704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca

    • SHA512

      71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44

    • SSDEEP

      12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      Installation Guide/README.md

    • Size

      496B

    • MD5

      9461a7e1bebab36162e2afd2263a5bc8

    • SHA1

      a77ba243c10588c4428f3f372b82191839ec5acf

    • SHA256

      41ee272268648deba3d883c3f6caa429c140135cf3f6d6194664f86159ff9381

    • SHA512

      0909a0e510feac4478a711191afe6f82c24c515889646f880cfc51d34c19d5e58f351f1363afb1625e172f87c67c9093f6a6645460209a4a212e530443d26243

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      Luxury Crypter 18.0.0/Dynamitey.dll

    • Size

      165KB

    • MD5

      be2e56a09631590b126e7391c7452c48

    • SHA1

      a2553f248739cfc26b8ab48d749d4a70de589e0c

    • SHA256

      da043bd3a340f9155a54547e3bc379279d488e9ba56ce76076c5a5d6c26337a4

    • SHA512

      741a259a7a6217168d3c1ff8ff0e41d39c20c672dd3aa8cab8b1fca4877ccc0af2cc4382f5e6bc3192b042445e29bf0b1581f4255d42aaf5a61c2f76a2844240

    • SSDEEP

      3072:3NS1izfuCxst/mKWF9gepzIPmjmfsf8s:IOfuCxst/mKWntqHsf8

    Score
    1/10
    behavioral11behavioral12

    • Target

      Luxury Crypter 18.0.0/FontsInstaller.dll

    • Size

      371KB

    • MD5

      5063ada08270d629a051121a8ecb4160

    • SHA1

      0e2d0391523fe5595c408507f7b80918bfe23552

    • SHA256

      3c357e4d067d2c9322b6d4a4a691698913a76570982af561c6c9438832f42ccc

    • SHA512

      d9eb54f867ca0796dad47e9ebc5c40ca055a0bea90868220c6ae6dc6ad4d863dab24e38f51284fb33d7733f8034c384c8044946c14d92553a7b3a0dd379ad13f

    • SSDEEP

      3072:BZSayK7cup8yzxJQKhopX4Etl8Q+/EHz8c/TzyGl+qF0HWN/InbBv8ZtSOQ9duOk:D7ccWXPETcr0qF06/0bytQ3uOFXA

    Score
    1/10
    behavioral13behavioral14

    • Target

      Luxury Crypter 18.0.0/Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      c19e9e6a4bc1b668d19505a0437e7f7e

    • SHA1

      73be712aef4baa6e9dabfc237b5c039f62a847fa

    • SHA256

      9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

    • SHA512

      b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

    • SSDEEP

      49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z

    Score
    1/10
    behavioral15behavioral16

    • Target

      Luxury Crypter 18.0.0/ILMerge.exe

    • Size

      668KB

    • MD5

      2bb6322885e6ca0986206de174e842c9

    • SHA1

      c5ea70169106d32bc513d28ea76ae8ea1e49380b

    • SHA256

      8110d740b485bcb06ff406b17001714c3a146fe6517098c9dc90d812b83389fd

    • SHA512

      9750180c54a5bd8f0e1fa8a8f529364430f2ef444efbf8ac51e8d2a0aaa4e3d21fe553865ba8567c7c19e4ae84d04b20464f391743e88c52c00cac0bf20fc2a7

    • SSDEEP

      12288:8E8Q+HlWx+TV7109nrRoTQhfL40+FQT7gWoi:hn+HQp9UQ2dFNi

    Score
    1/10
    behavioral17behavioral18

    • Target

      Luxury Crypter 18.0.0/Luxury Crypter‌.exe

    • Size

      2.9MB

    • MD5

      ffaf52e43618a09017ba3b764c5e205f

    • SHA1

      f2d6751870948308817dceda259111101eb2e3b2

    • SHA256

      4efb2b692fd63845dc443f589f83d410905c7cf4a1013444d083120506a26076

    • SHA512

      3d462f333c3c68b5fbad691949c57aeedba2fa3d7a1acc1e40f4e18a83d9db34e5e86e10a7d2fa1a991a053e2a5281b459f69c9228a534beb0d6b0f13443cd59

    • SSDEEP

      49152:jOnLUriuqNoO3vKbITB5CtHHBzNYkd/xP9wUU4F8TEK7wzSrsjqz:in5TuiBwBCkd/NSUUB4K0uYjY

    Score
    10/10
    xwormdiscoveryexecutionrattrojangurcustealer

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    behavioral19behavioral20

    • Target

      安装指南/DefenderRemover.exe

    • Size

      823KB

    • MD5

      879e3d30cc1392370ab0eec1601aa1b6

    • SHA1

      c85e5eb120d860b0a67e3f091d5e7c29a7643bfd

    • SHA256

      704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca

    • SHA512

      71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44

    • SSDEEP

      12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      安装指南/DefenderRemover.zip

    • Size

      505KB

    • MD5

      9e5e97169b6cba4e7b31c698686a673c

    • SHA1

      129a714ae1b81d60aa82b54b6c8569e9ab570787

    • SHA256

      db1b187020ff2c794ac1565cd41baa3425c164aee82608bfebb831a2f997ba29

    • SHA512

      b9a40e2608f67e7f66c57952150b7a8c39007a437943bfcdc9515ef8aaa43e6d1416dea16c06866891921b8904f1dd4ae2f2c0f08c410a3114ec55c878bb1cb9

    • SSDEEP

      12288:n7SDe/kYAhSoTHD9Xa9lovLoS/x790K9KoybuHq6f6diYgyC:n7SqAhS4KQoS/PVQ4HedixyC

    Score
    1/10
    behavioral23behavioral24

    • Target

      DefenderRemover.exe

    • Size

      823KB

    • MD5

      879e3d30cc1392370ab0eec1601aa1b6

    • SHA1

      c85e5eb120d860b0a67e3f091d5e7c29a7643bfd

    • SHA256

      704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca

    • SHA512

      71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44

    • SSDEEP

      12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX

    Score
    3/10
    discovery
    behavioral25behavioral26

    • Target

      安装指南/README.md

    • Size

      506B

    • MD5

      d3ff53a5c69a36e2c6da3e1c2e766eee

    • SHA1

      b62877a8a3bbb2a7eab7024535a7b8fe27030220

    • SHA256

      3c87c1b8b6f05a185b27ba4eec8f46619fae5799d81caa72ad40eca6e7c081c5

    • SHA512

      51d2ea43dc0f7d31b5c343a21f84aaa9436d2cd7f7d7a023c8f2ed9174970fac642cc8aca9e3bee906504e6612690ee226775e76d794b8ee70b488f8e525a12b

    Score
    3/10
    discovery
    behavioral27behavioral28

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

Score
3/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

xwormdiscoveryexecutionrattrojan
Score
10/10

behavioral20

gurcuxwormdiscoveryexecutionratstealertrojan
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

Score
3/10