gurcu | 5f4886a8b8e573c2daede58c73bd4ed31bb2310902ba8c384197a8c6e9273dfe | Triage

Submit
Reports

Overview

overview

Static

static

initialize.exe

windows10-ltsc_2021-x64

Sharing

General

Target

initialize.exe
Size

77KB
Sample

250329-nlvl9atnw2
MD5

cf10bc29fa7cf0eecbc8b588e8e4b8a9
SHA1

14ff3efa93fb23044658072ee8ec0afc368653a3
SHA256

5f4886a8b8e573c2daede58c73bd4ed31bb2310902ba8c384197a8c6e9273dfe
SHA512

6ef226b5c2582e9980bfea977ef7adf40257f5a11aeacbfda71d682e182207f9e4cb7d95d6ff6e70b13811b238c8b8bc18aa114d33dc9ff49f274c50d0061f89
SSDEEP

1536:zQMYzTYBo8kvIVGbA/pqtkeI/ObHs9TyTWlYKN6Yx6OOE01I3:kMgEu8MIVgUpsbI/ObHCmTWeKoO3gQ

Score

10^/10

gurcu xworm discovery execution rat stealer trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

initialize.exe

Resource

win10ltsc2021-20250314-en

gurcu xworm discovery execution rat stealer trojan

windows10-ltsc_2021-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

developed-headline.gl.at.ply.gg:12171

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7233744522:AAF4C4kHsWhsji1M9XSwnhnp-8xmfNuBpLs/sendMessage?chat_id=5445326064

Extracted

Language

ps1

Source

URLs

exe.dropper

http://activetools.live/data.bat

exe.dropper

http://activetools.live/Host.vbs

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/Ladyhaha06/Python/archive/refs/heads/main.zip

Extracted

Family

xworm

Version

5.0

C2

15.235.130.195:7000

Mutex

nIGrXTARcqqUL0y6

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7521511416:AAF9XlqNWPqzl6LkH7jQe-YyUvkLv_AVsQw

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7521511416:AAF9XlqNWPqzl6LkH7jQe-YyUvkLv_AVsQw/sendMessage?chat_id=-4799055577

Targets

- Target
  
  initialize.exe
- Size
  
  77KB
- MD5
  
  cf10bc29fa7cf0eecbc8b588e8e4b8a9
- SHA1
  
  14ff3efa93fb23044658072ee8ec0afc368653a3
- SHA256
  
  5f4886a8b8e573c2daede58c73bd4ed31bb2310902ba8c384197a8c6e9273dfe
- SHA512
  
  6ef226b5c2582e9980bfea977ef7adf40257f5a11aeacbfda71d682e182207f9e4cb7d95d6ff6e70b13811b238c8b8bc18aa114d33dc9ff49f274c50d0061f89
- SSDEEP
  
  1536:zQMYzTYBo8kvIVGbA/pqtkeI/ObHs9TyTWlYKN6Yx6OOE01I3:kMgEu8MIVgUpsbI/ObHCmTWeKoO3gQ
Score

10^/10

gurcu xworm discovery execution rat stealer trojan
- Detect Xworm Payload
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gurcuxwormdiscoveryexecutionratstealertrojan

© 2018-2025

Terms | Privacy