Overview

overview

10

Static

static

3

XWorm RAT V2.1.exe

windows7-x64

3

XWorm RAT V2.1.exe

windows10-2004-x64

10

XWorm RAT V2.1.exe

android-10-x64

Resubmissions

18-12-2024 00:13

241218-ah91wavqgj 3

17-12-2024 19:15

241217-xyj6qavncs 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm RAT V2.1.exe

  • Size

    2.2MB

  • Sample

    241217-xyj6qavncs

  • MD5

    835f081566e31c989b525bccb943569c

  • SHA1

    71d04e0a86ce9585e5b7a058beb0a43cf156a332

  • SHA256

    ea9258e9975b8925a739066221d996aef19b4ef4f4c91524f82e39d403f25579

  • SHA512

    9ec58f8c586ecf78ef8d75debc5dba58544558566423a634724bb5ab192aaf64f9ccbee9a5af48124a3366b2a7d24b4db71bb5743978201b881c08bad8f6fb0c

  • SSDEEP

    49152:LdYJMfC7koydmRzCxWO8e89khof23mKijV6WvFw3BAz2tIm0U:qc3vdUEWFySfdw3rtIm

Score
10/10
gurcuagilenetandroiddiscoverymotwpersistencephishingspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.22%20kb

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendMessage?chat_id=2024893777

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/getUpdates?offset=-

Targets

    • Target

      XWorm RAT V2.1.exe

    • Size

      2.2MB

    • MD5

      835f081566e31c989b525bccb943569c

    • SHA1

      71d04e0a86ce9585e5b7a058beb0a43cf156a332

    • SHA256

      ea9258e9975b8925a739066221d996aef19b4ef4f4c91524f82e39d403f25579

    • SHA512

      9ec58f8c586ecf78ef8d75debc5dba58544558566423a634724bb5ab192aaf64f9ccbee9a5af48124a3366b2a7d24b4db71bb5743978201b881c08bad8f6fb0c

    • SSDEEP

      49152:LdYJMfC7koydmRzCxWO8e89khof23mKijV6WvFw3BAz2tIm0U:qc3vdUEWFySfdw3rtIm

    Score
    10/10
    discoverygurcuagilenetmotwpersistencephishingspywarestealer

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • A potential corporate email address has been identified in the URL: =@L

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks