Extracted

Extracted

Extracted

Extracted

• • Target

    DEVIS_VALIDE.js

  • Size

    199KB

  • MD5

    9feff1a23db299a128f16bc6091df793

  • SHA1

    2041542fb6ddc259c2888d587f75a06947d6c0dc

  • SHA256

    67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9

  • SHA512

    6de1016f37d3df9d6b428b19076ea34fe2e9db0bbe09aa9bbaa637237b8130b47fd119bb39274ec618b3e4238ccbf53a4e7a562e2c9c714b73c6392a6a1102c2

  • SSDEEP

    3072:AW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+3WXt+NWXt+NWXt+NWXt+NWXt+NWXC:W

  Score

  10^/10

  executiongurcuxwormdefense_evasiondiscoverypersistenceratspywarestealertrojan

  • Detect Xworm Payload

  • Gurcu family

    gurcu

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Hide Artifacts: Hidden Window

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2