gurcu | 56abf6e0538aa01c4d703d318d6ab9d9f1d82a56e8327fa051af57c209270721 | Triage

Submit
Reports

Overview

overview

Static

static

Runtime Broker.exe

windows10-ltsc 2021-x64

Sharing

General

Target

Runtime Broker.exe
Size

41KB
Sample

250103-s64swa1nbt
MD5

3d8c8bdb3f9f8e2176e28bef2c32a872
SHA1

c94ee52f063a8bcb37878a4a35f01e649a82d452
SHA256

56abf6e0538aa01c4d703d318d6ab9d9f1d82a56e8327fa051af57c209270721
SHA512

8ade0497a2f0d203c564fd90f7a370dc5c4c4bc6b2ec32d33da3d57897f4409b2857883aa3bb6c21276960035d07079422aaaf72987b9cce0e10efad77759138
SSDEEP

768:zgBqG/D6Ykg+h5NMhllLW4pF5PM9lErl6TOwhp3tQj8:S3/D6A+hnErTFy9Wx6TOwPc8

Score

10^/10

gurcu xworm execution persistence rat stealer trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Runtime Broker.exe

Resource

win10ltsc2021-20241211-en

gurcu xworm execution persistence rat stealer trojan

windows10-ltsc 2021-x64

23 signatures

600 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

89uVkC69u7sBIP4Y

Attributes

Install_directory
%Temp%
install_file
update.exe
pastebin_url
https://pastebin.com/raw/EPNvLhJF
telegram
https://api.telegram.org/bot7343382434:AAHVbjA3UMvHkIXFmk_EqanDZDs1lJukPtw/sendMessage?chat_id=1867331552

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7343382434:AAHVbjA3UMvHkIXFmk_EqanDZDs1lJukPtw/sendMessage?chat_id=1867331552

Targets

- Target
  
  Runtime Broker.exe
- Size
  
  41KB
- MD5
  
  3d8c8bdb3f9f8e2176e28bef2c32a872
- SHA1
  
  c94ee52f063a8bcb37878a4a35f01e649a82d452
- SHA256
  
  56abf6e0538aa01c4d703d318d6ab9d9f1d82a56e8327fa051af57c209270721
- SHA512
  
  8ade0497a2f0d203c564fd90f7a370dc5c4c4bc6b2ec32d33da3d57897f4409b2857883aa3bb6c21276960035d07079422aaaf72987b9cce0e10efad77759138
- SSDEEP
  
  768:zgBqG/D6Ykg+h5NMhllLW4pF5PM9lErl6TOwhp3tQj8:S3/D6A+hnErTFy9Wx6TOwPc8
Score

10^/10

gurcu xworm execution persistence rat stealer trojan
- Detect Xworm Payload
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

gurcuxwormexecutionpersistenceratstealertrojan

© 2018-2025

Terms | Privacy