gurcu | 9576e9374b80cf62824e4de89e24f6bf18617e1ce62d21a1a1a0c72ce45c9090

General

Target

XS CRACK.exe
Size

22.1MB
Sample

250125-hm4cws1ld1
MD5

8313790fde74e18b43d255f830af9b00
SHA1

0123f92f250415b13f0b1a3c8e60d9b3212de255
SHA256

9576e9374b80cf62824e4de89e24f6bf18617e1ce62d21a1a1a0c72ce45c9090
SHA512

b120f54939840fd2881e0a8b39872456f8712a3cb7e4471c47618ca9268464a2fd743adac3ac85e014b130654d8d7edd3e4aa04a9982eee518201b4d7c1828e5
SSDEEP

1536:QebSCbpDbmenavCGrYuFJQ9ZrR9E4ub0tAr+:t+utbmHrYuFKrR95tAC

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

very-stars.gl.at.ply.gg:23028

Attributes

Install_directory
%ProgramData%
install_file
system64.exe
telegram
https://api.telegram.org/bot7592133817:AAFoMe-c16pn4My7-EODEINEZeWZ2Milavo/sendMessage?chat_id=6723354517

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7592133817:AAFoMe-c16pn4My7-EODEINEZeWZ2Milavo/sendMessage?chat_id=6723354517

Targets

- Target
  
  XS CRACK.exe
- Size
  
  22.1MB
- MD5
  
  8313790fde74e18b43d255f830af9b00
- SHA1
  
  0123f92f250415b13f0b1a3c8e60d9b3212de255
- SHA256
  
  9576e9374b80cf62824e4de89e24f6bf18617e1ce62d21a1a1a0c72ce45c9090
- SHA512
  
  b120f54939840fd2881e0a8b39872456f8712a3cb7e4471c47618ca9268464a2fd743adac3ac85e014b130654d8d7edd3e4aa04a9982eee518201b4d7c1828e5
- SSDEEP
  
  1536:QebSCbpDbmenavCGrYuFJQ9ZrR9E4ub0tAr+:t+utbmHrYuFKrR95tAC
Score

10^/10

gurcu xworm defense_evasion discovery evasion execution persistence privilege_escalation rat spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables RegEdit via registry modification
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Modifies Windows Firewall
  defense_evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1