Extracted

Extracted

• • Target

    photo_for_you.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe

  • Size

    57.1MB

  • MD5

    f46aed0934318a70362ea9a3aed48fd0

  • SHA1

    0fd0dc815197aa3f98118c1c993903c6b31f2c9c

  • SHA256

    d07819f4da91a51777dd91789ad54c7efe81f2afa644761b6958de2322823ec4

  • SHA512

    b6cc4106cdce94b7621f1fd57fff199272714fd2090ffc6d243ad89fefb08742d92dac3bfcd60c7bbfcddcebabc8bd12ce3136294f5003098b1deb66d3ea8b3e

  • SSDEEP

    786432:swBPj4cKJ4hFek07BxrNWEBZ0k2fVmjhKXrPfkbq4j0hqrCkB5oM4zTu1rMEr6o3:swl1hFehrN9ZqBjXI0e/9wCl9rr3

  Score

  10^/10

  gurcuxwormcredential_accessdiscoverypersistenceratspywarestealertrojan

  • Detect Xworm Payload

  • Gurcu family

    gurcu

  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1