General

  • Target

    67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js

  • Size

    199KB

  • Sample

    241121-f3nw2aydqa

  • MD5

    9feff1a23db299a128f16bc6091df793

  • SHA1

    2041542fb6ddc259c2888d587f75a06947d6c0dc

  • SHA256

    67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9

  • SHA512

    6de1016f37d3df9d6b428b19076ea34fe2e9db0bbe09aa9bbaa637237b8130b47fd119bb39274ec618b3e4238ccbf53a4e7a562e2c9c714b73c6392a6a1102c2

  • SSDEEP

    3072:AW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+3WXt+NWXt+NWXt+NWXt+NWXt+NWXC:W

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    fYudY1578@@@@@@

Extracted

Family

xworm

Version

5.0

C2

moneyluckwork.ddns.net:7000

moneyluck.duckdns.org:7000

Mutex

HLfH6HTja99GuzBA

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887

Targets

    • Target

      67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js

    • Size

      199KB

    • MD5

      9feff1a23db299a128f16bc6091df793

    • SHA1

      2041542fb6ddc259c2888d587f75a06947d6c0dc

    • SHA256

      67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9

    • SHA512

      6de1016f37d3df9d6b428b19076ea34fe2e9db0bbe09aa9bbaa637237b8130b47fd119bb39274ec618b3e4238ccbf53a4e7a562e2c9c714b73c6392a6a1102c2

    • SSDEEP

      3072:AW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+3WXt+NWXt+NWXt+NWXt+NWXt+NWXC:W

    • Detect Xworm Payload

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks