gurcu | a1af1cebcb9b024f05690fd07e65a7363e3bc0395cfc788102e9a907e76dda03 | Triage

Submit
Reports

Overview

overview

Static

static

1

AncelsPerf...ch.bat

windows10-2004-x64

Sharing

General

Target

AncelsPerformanceBatch.bat
Size

165KB
Sample

241124-xh22latmdw
MD5

95e5072c5582d546e2bd42eee4642376
SHA1

e920b5930456311885ed1506d2b6eee76d745bf1
SHA256

a1af1cebcb9b024f05690fd07e65a7363e3bc0395cfc788102e9a907e76dda03
SHA512

597caafd90f4ac9177bd9de3fe3523b2a8711596b93d9eb1e0a97efc08dad8033772040c35471b6ebd74d992676da485c7542776c2f062a2bdbad234aea2ee7d
SSDEEP

1536:dl2cSlFWJQlpTUgIafq+2RSM88xck4YaXv5n1kwM+ZA:7aNJ4cFuL

Score

10^/10

gurcu xworm discovery execution rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

AncelsPerformanceBatch.bat

Resource

win10v2004-20241007-en

gurcu xworm discovery execution rat stealer trojan

windows10-2004-x64

30 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Targets

- Target
  
  AncelsPerformanceBatch.bat
- Size
  
  165KB
- MD5
  
  95e5072c5582d546e2bd42eee4642376
- SHA1
  
  e920b5930456311885ed1506d2b6eee76d745bf1
- SHA256
  
  a1af1cebcb9b024f05690fd07e65a7363e3bc0395cfc788102e9a907e76dda03
- SHA512
  
  597caafd90f4ac9177bd9de3fe3523b2a8711596b93d9eb1e0a97efc08dad8033772040c35471b6ebd74d992676da485c7542776c2f062a2bdbad234aea2ee7d
- SSDEEP
  
  1536:dl2cSlFWJQlpTUgIafq+2RSM88xck4YaXv5n1kwM+ZA:7aNJ4cFuL
Score

10^/10

gurcu xworm discovery execution rat stealer trojan
- Detect Xworm Payload
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gurcuxwormdiscoveryexecutionratstealertrojan

© 2018-2024

Terms | Privacy