Overview

overview

10

Static

static

3

13804a9b2b...b2.exe

windows7-x64

10

13804a9b2b...b2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2

  • Size

    1.6MB

  • Sample

    241029-yw88haxqfz

  • MD5

    9d8b111c3743b5b77fdd8fce1e30b50c

  • SHA1

    963e2bb076141300843bc8b61d6808ebd7a6dfae

  • SHA256

    13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2

  • SHA512

    0a916cd6c28b71e342aa4c4d2f06253b3b89913ecce33b7776179d4e88f7e925712801265c6a7ebd440874e4226a16988155ebb8cccb3cb37c298276df2a063f

  • SSDEEP

    24576:RRVHmGd0BwUzR+frsjqz86M0/i/U7vqqp:VGGd4NzSrsjqzh/i/kvfp

Score
10/10
gurcuxwormexecutionratstealertrojan

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Targets

    • Target

      13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2

    • Size

      1.6MB

    • MD5

      9d8b111c3743b5b77fdd8fce1e30b50c

    • SHA1

      963e2bb076141300843bc8b61d6808ebd7a6dfae

    • SHA256

      13804a9b2b635d274228778d41f850ad20e25573075c03315a1aed980f9305b2

    • SHA512

      0a916cd6c28b71e342aa4c4d2f06253b3b89913ecce33b7776179d4e88f7e925712801265c6a7ebd440874e4226a16988155ebb8cccb3cb37c298276df2a063f

    • SSDEEP

      24576:RRVHmGd0BwUzR+frsjqz86M0/i/U7vqqp:VGGd4NzSrsjqzh/i/kvfp

    Score
    10/10
    xwormexecutionrattrojangurcustealer

    • Detect Xworm Payload

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

      stealergurcu

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks