gurcu | 41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034

Analysis

max time kernel
164s
max time network
196s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
14-11-2023 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe
Size

3.7MB
MD5

9b2f1f65ce3f58b4ce229409f39a8d2b
SHA1

5699542019f22d4f44ee2f8a63b5980b819ce72d
SHA256

41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034
SHA512

028f195e504c8da9150834438a3abc76c8a3d2a42cdec4e8c17e7e48aa0fae73470575f8eb3bff97c47b951f612f1533f06fd627c282df258ff34e543a94e2fa
SSDEEP

98304:TkMZ2Vi5bIn6tDdz2JLOsWynvvPUiXYT1/mxGlof6:TkMAA586tDdzALOs5vnUiXYguF

Score

10^/10

gurcu redline infostealer stealer

Malware Config

Extracted

Family

redline

95.181.152.8:46927

Attributes

auth_value
cdf3919a262c0d6ba99116b375d7551c

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2960-26-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2960-23-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2960-24-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2960-28-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2960-31-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2664	@zxckostyan4ik_crypted.exe
2608	Smithianism.exe
1416	Process not Found

Loads dropped DLL 8 IoCs

pid	Process
2892	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe
2892	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe
2892	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 2960	2664	@zxckostyan4ik_crypted.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2960	RegAsm.exe
2960	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	Smithianism.exe
Token: SeDebugPrivilege	2960	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2664	2892	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	29
PID 2892 wrote to memory of 2664	2892	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	29
PID 2892 wrote to memory of 2664	2892	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	29
PID 2892 wrote to memory of 2664	2892	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	29
PID 2892 wrote to memory of 2608	2892	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	30
PID 2892 wrote to memory of 2608	2892	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	30
PID 2892 wrote to memory of 2608	2892	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	30
PID 2892 wrote to memory of 2608	2892	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	30
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2664 wrote to memory of 2960	2664	@zxckostyan4ik_crypted.exe	31
PID 2608 wrote to memory of 2736	2608	Smithianism.exe	33
PID 2608 wrote to memory of 2736	2608	Smithianism.exe	33
PID 2608 wrote to memory of 2736	2608	Smithianism.exe	33

C:\Users\Admin\AppData\Local\Temp\41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe
"C:\Users\Admin\AppData\Local\Temp\41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\@zxckostyan4ik_crypted.exe
  C:\Users\Admin\AppData\Local\Temp\@zxckostyan4ik_crypted.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    #cmd
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- C:\Users\Admin\AppData\Local\Temp\Smithianism.exe
  C:\Users\Admin\AppData\Local\Temp\Smithianism.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2608 -s 880
    3⤵
    - Loads dropped DLL
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@zxckostyan4ik_crypted.exe

Filesize
506KB

MD5
52cbba6d520f8f9c3f5425824fb23f78

SHA1
d4fa4290fe4729ee0a924712ad0f1a3cd4f11506

SHA256
9dd44e1f1893d46a4fa68bd19a2ad6b49b87bd0f47432dd2497f2a1f0d32d560

SHA512
0fce8f90ed02b3cf15e09878d220f946e8900b409f4d7d894df11fe37db39d89769d55194738f0ba85b9c6de2e664f2bc0913b5b1426df1945cbdb8ac8611222

Download Submit
C:\Users\Admin\AppData\Local\Temp\@zxckostyan4ik_crypted.exe

Filesize
506KB

MD5
52cbba6d520f8f9c3f5425824fb23f78

SHA1
d4fa4290fe4729ee0a924712ad0f1a3cd4f11506

SHA256
9dd44e1f1893d46a4fa68bd19a2ad6b49b87bd0f47432dd2497f2a1f0d32d560

SHA512
0fce8f90ed02b3cf15e09878d220f946e8900b409f4d7d894df11fe37db39d89769d55194738f0ba85b9c6de2e664f2bc0913b5b1426df1945cbdb8ac8611222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
\Users\Admin\AppData\Local\Temp\@zxckostyan4ik_crypted.exe

Filesize
506KB

MD5
52cbba6d520f8f9c3f5425824fb23f78

SHA1
d4fa4290fe4729ee0a924712ad0f1a3cd4f11506

SHA256
9dd44e1f1893d46a4fa68bd19a2ad6b49b87bd0f47432dd2497f2a1f0d32d560

SHA512
0fce8f90ed02b3cf15e09878d220f946e8900b409f4d7d894df11fe37db39d89769d55194738f0ba85b9c6de2e664f2bc0913b5b1426df1945cbdb8ac8611222

Download Submit
\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
memory/2608-47-0x0000000076D30000-0x0000000076ED9000-memory.dmp

Filesize
1.7MB

Download
memory/2608-16-0x000007FEF4620000-0x000007FEF500C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-19-0x0000000000770000-0x000000000078A000-memory.dmp

Filesize
104KB

Download
memory/2608-18-0x000000001C3A0000-0x000000001C6C0000-memory.dmp

Filesize
3.1MB

Download
memory/2608-14-0x0000000000C20000-0x0000000000FB8000-memory.dmp

Filesize
3.6MB

Download
memory/2608-35-0x0000000021100000-0x000000002134E000-memory.dmp

Filesize
2.3MB

Download
memory/2608-46-0x00000000007F0000-0x0000000000870000-memory.dmp

Filesize
512KB

Download
memory/2608-20-0x00000000007F0000-0x0000000000870000-memory.dmp

Filesize
512KB

Download
memory/2608-39-0x0000000076D30000-0x0000000076ED9000-memory.dmp

Filesize
1.7MB

Download
memory/2608-37-0x00000000007F0000-0x0000000000870000-memory.dmp

Filesize
512KB

Download
memory/2608-36-0x00000000007F0000-0x0000000000870000-memory.dmp

Filesize
512KB

Download
memory/2608-32-0x000007FEF4620000-0x000007FEF500C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-33-0x00000000007F0000-0x0000000000870000-memory.dmp

Filesize
512KB

Download
memory/2608-34-0x000000001ADE0000-0x000000001B0F4000-memory.dmp

Filesize
3.1MB

Download
memory/2664-15-0x000007FEF4620000-0x000007FEF500C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-29-0x000007FEF4620000-0x000007FEF500C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-17-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2664-13-0x0000000000EB0000-0x0000000000F32000-memory.dmp

Filesize
520KB

Download
memory/2960-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2960-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2960-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2960-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2960-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2960-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2960-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2960-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download