General

  • Target

    Wave-Setup.rar

  • Size

    167.7MB

  • Sample

    241224-mn2mxavqdp

  • MD5

    de7e49e9bcdd16b5277e1e3530809190

  • SHA1

    8141f3a016c06d77928aa71c6b43c85a69168fce

  • SHA256

    f6a128d68369bc3168bb3a62ca2ee3d76358451c19ef1856f3e7f3f08be49ae1

  • SHA512

    3bcd32324865ef5e483b9ab086a80992647834006559410aa9d240065bacb2b820bdb1a404581201bafca6f814a5427252e646074f2d646c0a2cf213a947e0ef

  • SSDEEP

    3145728:R3/uBX3vh5enGs17YW8mxrzY1fFSMzroxK8DGjnYnkNaaJ7uj:Ic3xPQroxKL6kNa0k

Malware Config

Extracted

Family

xworm

C2

performance-fate.gl.at.ply.gg:42662

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7651370384:AAG232SHNI0DUqNg_k8ER0yNF115YV4vH08/sendMessage?chat_id=6338341120

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7651370384:AAG232SHNI0DUqNg_k8ER0yNF115YV4vH08/sendMessage?chat_id=6338341120

Targets

    • Target

      Wave-Setup.rar

    • Size

      167.7MB

    • MD5

      de7e49e9bcdd16b5277e1e3530809190

    • SHA1

      8141f3a016c06d77928aa71c6b43c85a69168fce

    • SHA256

      f6a128d68369bc3168bb3a62ca2ee3d76358451c19ef1856f3e7f3f08be49ae1

    • SHA512

      3bcd32324865ef5e483b9ab086a80992647834006559410aa9d240065bacb2b820bdb1a404581201bafca6f814a5427252e646074f2d646c0a2cf213a947e0ef

    • SSDEEP

      3145728:R3/uBX3vh5enGs17YW8mxrzY1fFSMzroxK8DGjnYnkNaaJ7uj:Ic3xPQroxKL6kNa0k

    • Detect Xworm Payload

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks