Extracted

Extracted

• • Target

    2ee2e22e2e.exe

  • Size

    236KB

  • MD5

    04b6405a73eabb73ffda18cdc81dfd05

  • SHA1

    87c30e3737960264bc9bfc45d699effecc47b24a

  • SHA256

    bc9464c1fefdee10217ae799ab2f732f2f2b4968f428b163c60747dc3cf223b9

  • SHA512

    84ae1ab47ba21cef2ed9abf8dbe002ef6c915ba2e3e8d3c521812d2fa979f9840096b342cbbcd48f5f1b7188e8f693b41db4cf1771d8f49ff5803cb0715b05e3

  • SSDEEP

    3072:lDEdiqPevSK4bSRO2PnlVOQq0u8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3K0:edTmEbsyUhcX7elbKTua9bfF/H9d9n

  Score

  10^/10

  xwormpersistencerattrojangurcudefense_evasionstealer

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Gurcu family

    gurcu

  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu

  • Modifies Windows Defender Real-time Protection settings

    defense_evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral1behavioral2