Resubmissions
09/03/2025, 18:14
250309-wvp25axvd1 1009/03/2025, 15:53
250309-tb268svky7 808/03/2025, 20:22
250308-y5pv8asjy3 808/03/2025, 17:38
250308-v7ydlazrt9 907/03/2025, 15:40
250307-s4f9ssswaz 1007/03/2025, 13:18
250307-qj13cszzgz 306/03/2025, 15:59
250306-tfgfbssrs2 406/03/2025, 15:19
250306-sqa6mask16 805/03/2025, 14:43
250305-r3nf2s1tdt 805/03/2025, 14:28
250305-rtcm7a1ms4 8General
-
Target
test.txt
-
Size
18B
-
Sample
250202-k3nngsvlbs
-
MD5
5b3f97d48c8751bd031b7ea53545bdb6
-
SHA1
88be3374c62f23406ec83bb11279f8423bd3f88d
-
SHA256
d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b
-
SHA512
ed2de1eec50310ced4bde8ef6ae4b7902920b007df7b6aeb200cfe9fcc0d36ef05af7526c4675be2feac52831668798d5fe3523175efad6f6549b30f30a0b5d6
Static task
static1
Behavioral task
behavioral1
Sample
test.txt
Resource
win11-20241007-en
Malware Config
Extracted
xworm
127.0.0.1:7000
kl2gNShVinepnLCw
-
install_file
USB.exe
Extracted
gurcu
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.38%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.21%20kb
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendMessage?chat_id=-1002258988684
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%93%B8Screenshot%20take
https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=-1002258988684&caption=%F0%9F%A5%A0Cookies%20from%20these%20websites%20%5Bgithub.com%5D%20were%20successfully%20grabbe
Targets
-
-
Target
test.txt
-
Size
18B
-
MD5
5b3f97d48c8751bd031b7ea53545bdb6
-
SHA1
88be3374c62f23406ec83bb11279f8423bd3f88d
-
SHA256
d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b
-
SHA512
ed2de1eec50310ced4bde8ef6ae4b7902920b007df7b6aeb200cfe9fcc0d36ef05af7526c4675be2feac52831668798d5fe3523175efad6f6549b30f30a0b5d6
-
Detect Xworm Payload
-
Gurcu family
-
UAC bypass
-
Xworm family
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Authentication Process
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1