gurcu | 503460c51a5c10fab8e05af5de5f531ec0b1e3c0f9fb69ff8465fae1c9e24ab5

General

Target

crypted.exe
Size

20.7MB
Sample

241126-d2alxaskd1
MD5

72201d2a8b18860b045bcf0df33ea846
SHA1

8c0c7854825a09de4766b8dc0732e900af19f27c
SHA256

503460c51a5c10fab8e05af5de5f531ec0b1e3c0f9fb69ff8465fae1c9e24ab5
SHA512

85aa2e1a06b8b6e0500e6ea2cb1718f1f2b34032102d67ba807218dc879d5c2186dbf34ace25d248fda5842644d40b784cc3a2275b5bf8eaf412cead2547dd5d
SSDEEP

393216:gsgRSfpBBhJE7YBAQ4T/u1xIne6xwnL848nVcdIFrp2lAqeQ7USb:jgRU/i7l7T/Xe18rVcdNATI

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

find-rubber.gl.at.ply.gg:5426

Mutex

CRQoPEkBWWzMBNPO

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7755383590:AAEvaE0gRP-tFTfH0LuSq-fhWltSTUkzf20/sendDocument?chat_id=-1002252855973&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7755383590:AAEvaE0gRP-tFTfH0LuSq-fhWltSTUkzf20/sendMessage?chat_id=-1002252855973

https://api.telegram.org/bot7755383590:AAEvaE0gRP-tFTfH0LuSq-fhWltSTUkzf20/getUpdates?offset=-

https://api.telegram.org/bot7755383590:AAEvaE0gRP-tFTfH0LuSq-fhWltSTUkzf20/sendDocument?chat_id=-1002252855973&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  crypted.exe
- Size
  
  20.7MB
- MD5
  
  72201d2a8b18860b045bcf0df33ea846
- SHA1
  
  8c0c7854825a09de4766b8dc0732e900af19f27c
- SHA256
  
  503460c51a5c10fab8e05af5de5f531ec0b1e3c0f9fb69ff8465fae1c9e24ab5
- SHA512
  
  85aa2e1a06b8b6e0500e6ea2cb1718f1f2b34032102d67ba807218dc879d5c2186dbf34ace25d248fda5842644d40b784cc3a2275b5bf8eaf412cead2547dd5d
- SSDEEP
  
  393216:gsgRSfpBBhJE7YBAQ4T/u1xIne6xwnL848nVcdIFrp2lAqeQ7USb:jgRU/i7l7T/Xe18rVcdNATI
Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan gurcu milleniumrat spyware stealer
- Detect Xworm Payload
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Milleniumrat family
  milleniumrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2