Overview

overview

10

Static

static

3

XWorm V6.0.exe

windows7-x64

10

XWorm V6.0.exe

windows10-2004-x64

10

Resubmissions

07-02-2025 03:53

250207-efrtqsxpd1 10

07-02-2025 03:51

250207-eerscayrhk 10

07-02-2025 01:20

250207-bqhr2avpck 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm V6.0.exe

  • Size

    21.6MB

  • Sample

    250207-bqhr2avpck

  • MD5

    ba23d65ef70b05cd3b04dfcbbd801059

  • SHA1

    5c241dc3d79f61bdf82d091bfe29bca2e641d802

  • SHA256

    0712085082841796a11be3e988c1cc131d1608809321683d4e4482363f616e0d

  • SHA512

    d32a4838ca544b9b4764bb99b716faf797aa194199151426a8848c1ed27b5f2428629324d30f15db138ff56d34d46233e3ef106ad416eff29de43eb8ade0eff9

  • SSDEEP

    393216:6JSgxj4gebngiHe2bD616QWBbdw6s8qaPNL1Zjo7YOiFSbzPQWrGMYV3j+cintc:4agiHe2n61Ub1fqY1Z8WSPFrlNHnt

Score
10/10
gurcustealeriumxwormdiscoveryexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

WcpxqjjxSrB6UOUw

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/RPPi3ByL

  • telegram

    https://api.telegram.org/bot7483240807:AAHWuUBi6sW9ZOb0kfXVbzbMVyLtPj-9vZY/sendMessage?chat_id=5279018187

aes.plain
aes.plain
aes.plain

Extracted

Family

stealerium

C2

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=

Attributes

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/getM

Targets

    • Target

      XWorm V6.0.exe

    • Size

      21.6MB

    • MD5

      ba23d65ef70b05cd3b04dfcbbd801059

    • SHA1

      5c241dc3d79f61bdf82d091bfe29bca2e641d802

    • SHA256

      0712085082841796a11be3e988c1cc131d1608809321683d4e4482363f616e0d

    • SHA512

      d32a4838ca544b9b4764bb99b716faf797aa194199151426a8848c1ed27b5f2428629324d30f15db138ff56d34d46233e3ef106ad416eff29de43eb8ade0eff9

    • SSDEEP

      393216:6JSgxj4gebngiHe2bD616QWBbdw6s8qaPNL1Zjo7YOiFSbzPQWrGMYV3j+cintc:4agiHe2n61Ub1fqY1Z8WSPFrlNHnt

    Score
    10/10
    stealeriumxwormexecutionpersistenceratstealertrojangurcudiscovery

    • Detect Xworm Payload

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Stealerium family

      stealerium

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks