Extracted

Extracted

• • Target

    Wave-Setup.exe

  • Size

    167.7MB

  • MD5

    c9c04d46aab910c3fb582c1e25c3896e

  • SHA1

    5ebc2f21c782a67d7cc9cd3b55e5a3d6d9cb4d16

  • SHA256

    14d71e1c25f215964f43883acff3350a8b06b09cb6a28a1dd1c570d4fb3539cf

  • SHA512

    1adf258a8b522a471c0309176c7ebe06f2ddb200e3859434f3971826ce6db6efa1d7d11f6c67caf2b1638bc145203aced2638604eb9b61178341708a9bc71351

  • SSDEEP

    3145728:LyRJJJ7WbgF0vBxp+WplFbi9BJkU7RMGoHSyAPgdg3ib33ohJH69WfKNZLZM+tpK:LyRs0F0vzp+WPFbkkUqJSyANib33ovam

  Score

  10^/10

  discoverypyinstallerupxgurcuxwormexecutionpersistenceratstealertrojan

  • Detect Xworm Payload

  • Gurcu family

    gurcu

  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks for any installed AV software in registry

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Enumerates processes with tasklist

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2