General
-
Target
https://github.com/newbigs/newintsh
-
Sample
250212-lvntyswpgy
Malware Config
Extracted
xworm
5.0
172.245.20.209:7000
64.7.198.74:7000
2r6vo6BvMgtBs26q
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7745567455:AAHJJMwjM2fEKRTzDuYpjGsEm_c35cD-3mY
Extracted
gurcu
https://api.telegram.org/bot7745567455:AAHJJMwjM2fEKRTzDuYpjGsEm_c35cD-3mY/sendMessage?chat_id=-4702051411
https://api.telegram.org/bot7789746445:AAHZp-GtY5N35XwplIUS6rf6BjuHebMQYw0/sendMessage?chat_id=-4553928412
Targets
-
-
Target
https://github.com/newbigs/newintsh
Score10/10-
Detect Xworm Payload
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
2System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1