gurcu | 9fc53dcefce749b23c8f907dc44d498d15058a5b2cedb7c94e1cd42c88176c2f

General

Target

Rasauq Launcher.exe
Size

84KB
Sample

250320-mqf4zsvjt5
MD5

569a09ebfa64b8f5ec39a17c2b3bc4dd
SHA1

1d2b2b9c024f2e204ab0b4bbba9a6c305038d487
SHA256

9fc53dcefce749b23c8f907dc44d498d15058a5b2cedb7c94e1cd42c88176c2f
SHA512

960af03f64621beda154dc986cb80d3370f11cb1fe846bc91ec8ba6782dd71dba229926ef2fea0fec208713e6b5af07912ca1045c40fe5c246dd6377529ee01b
SSDEEP

1536:l5e2sHTvN2b4p98BcYCXSg0qMl3nRgt5P7ZJUqAA/WkywGKwkvOWkDDiun:q2W0n4lEl3RE5veV2Wniun

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

looking-brings.gl.at.ply.gg:65381

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot8074871433:AAGd-vCZQOlCC_n2SUFT-qQ6fFThcBVDd1Y

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8074871433:AAGd-vCZQOlCC_n2SUFT-qQ6fFThcBVDd1Y/sendMessage?chat_id=1002422094535

Targets

- Target
  
  Rasauq Launcher.exe
- Size
  
  84KB
- MD5
  
  569a09ebfa64b8f5ec39a17c2b3bc4dd
- SHA1
  
  1d2b2b9c024f2e204ab0b4bbba9a6c305038d487
- SHA256
  
  9fc53dcefce749b23c8f907dc44d498d15058a5b2cedb7c94e1cd42c88176c2f
- SHA512
  
  960af03f64621beda154dc986cb80d3370f11cb1fe846bc91ec8ba6782dd71dba229926ef2fea0fec208713e6b5af07912ca1045c40fe5c246dd6377529ee01b
- SSDEEP
  
  1536:l5e2sHTvN2b4p98BcYCXSg0qMl3nRgt5P7ZJUqAA/WkywGKwkvOWkDDiun:q2W0n4lEl3RE5veV2Wniun
Score

10^/10

xworm defense_evasion execution persistence rat trojan gurcu discovery evasion exploit privilege_escalation ransomware stealer
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Disables service(s)
  defense_evasion execution
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies security service
  defense_evasion
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables RegEdit via registry modification
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Modifies Windows Firewall
  defense_evasion
- Possible privilege escalation attempt
  exploit
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2