Extracted

Extracted

• • Target

    ace_brute_v3.exe

  • Size

    20.7MB

  • MD5

    8ce170fe4a60c76558c96e9a75fb49a7

  • SHA1

    a6211291e0933b93582ae06955977a98d69e7514

  • SHA256

    db3f35ead020e7aecfdba98d1e5145ced413a01984793f6d57834798dd0de0a6

  • SHA512

    2ed2b6264abdac610f25361808697fbaad6e7a33f67c84db118cb932528d184f3ffb1d86fbc1487e1303d722b7cb81b46bcf37a2f0c314b054f162872a7c6a1d

  • SSDEEP

    393216:TCGBLUmCO0GQQFSs3laejYsB69XmyzTvJ8cr3jALaDhZVHkURVnX72kI7OVWNp:T1BLVCOtXFVjYZ9HnW1LaZHRXXm71D

  Score

  10^/10

  gurcuxwormdiscoveryexecutionpersistencepyinstallerratspywarestealertrojan

  • Detect Xworm Payload

  • Gurcu family

    gurcu

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of SetThreadContext

  behavioral1