General
-
Target
gta.exe
-
Size
256KB
-
Sample
241229-zxyzlaxmcj
-
MD5
38405cd821fa35824d367aedff252ed2
-
SHA1
b70f9b3de189a89762d31caf11aafad410f2b1bd
-
SHA256
f8ed103574089d431ad8eaac8c8cba0240da701beb8df26011c7c97a6c981182
-
SHA512
c3225c965a817487ec0453a0ed9dd6807983fa3980fc5da2f9d8767fc7cbfa1557d2c0d8754c77be94217a5676737cdf152a64f383cebc2bf9f1198f5b7bd5a3
-
SSDEEP
3072:nOoQq3wNXKk2zg3bQqTJAOJh23R6eBdte1FKNfAc/vnew0sFetD79OzWPEMiZJ:nV+6/zcb9VGfAc/v10sQOzWPEh
Malware Config
Extracted
xworm
5.1
127.0.0.1:37897
global-protective.gl.at.ply.gg:37897:37897
global-protective.gl.at.ply.gg:37897
-
Install_directory
%ProgramData%
-
install_file
nerat.exe
-
telegram
https://api.telegram.org/bot7268785583:AAFvSoXRrVhV7krjc8W8iUc9VL5ZyOqftLY
Extracted
gurcu
https://api.telegram.org/bot7268785583:AAFvSoXRrVhV7krjc8W8iUc9VL5ZyOqftLY/sendMessage?chat_id=@ratnichektg_bot
Targets
-
-
Target
gta.exe
-
Size
256KB
-
MD5
38405cd821fa35824d367aedff252ed2
-
SHA1
b70f9b3de189a89762d31caf11aafad410f2b1bd
-
SHA256
f8ed103574089d431ad8eaac8c8cba0240da701beb8df26011c7c97a6c981182
-
SHA512
c3225c965a817487ec0453a0ed9dd6807983fa3980fc5da2f9d8767fc7cbfa1557d2c0d8754c77be94217a5676737cdf152a64f383cebc2bf9f1198f5b7bd5a3
-
SSDEEP
3072:nOoQq3wNXKk2zg3bQqTJAOJh23R6eBdte1FKNfAc/vnew0sFetD79OzWPEMiZJ:nV+6/zcb9VGfAc/v10sQOzWPEh
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Modifies Windows Defender Real-time Protection settings
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1