gurcu | 41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034

Analysis

max time kernel
184s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe
Size

3.7MB
MD5

9b2f1f65ce3f58b4ce229409f39a8d2b
SHA1

5699542019f22d4f44ee2f8a63b5980b819ce72d
SHA256

41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034
SHA512

028f195e504c8da9150834438a3abc76c8a3d2a42cdec4e8c17e7e48aa0fae73470575f8eb3bff97c47b951f612f1533f06fd627c282df258ff34e543a94e2fa
SSDEEP

98304:TkMZ2Vi5bIn6tDdz2JLOsWynvvPUiXYT1/mxGlof6:TkMAA586tDdzALOs5vnUiXYguF

Score

10^/10

gurcu redline infostealer stealer

Malware Config

Extracted

Family

redline

95.181.152.8:46927

Attributes

auth_value
cdf3919a262c0d6ba99116b375d7551c

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2280-18-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
3132	@zxckostyan4ik_crypted.exe
2128	Smithianism.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
89	icanhazip.com
90	icanhazip.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3132 set thread context of 2280	3132	@zxckostyan4ik_crypted.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2280	RegAsm.exe
2280	RegAsm.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe
2128	Smithianism.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	RegAsm.exe
Token: SeDebugPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeSecurityPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeSecurityPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeSecurityPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeSecurityPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeSecurityPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeSecurityPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeSecurityPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeSecurityPrivilege	2128	Smithianism.exe
Token: SeSecurityPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeSecurityPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe
Token: SeSecurityPrivilege	2128	Smithianism.exe
Token: SeBackupPrivilege	2128	Smithianism.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3132	3100	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	89
PID 3100 wrote to memory of 3132	3100	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	89
PID 3100 wrote to memory of 2128	3100	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	91
PID 3100 wrote to memory of 2128	3100	41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe	91
PID 3132 wrote to memory of 2280	3132	@zxckostyan4ik_crypted.exe	93
PID 3132 wrote to memory of 2280	3132	@zxckostyan4ik_crypted.exe	93
PID 3132 wrote to memory of 2280	3132	@zxckostyan4ik_crypted.exe	93
PID 3132 wrote to memory of 2280	3132	@zxckostyan4ik_crypted.exe	93
PID 3132 wrote to memory of 2280	3132	@zxckostyan4ik_crypted.exe	93
PID 3132 wrote to memory of 2280	3132	@zxckostyan4ik_crypted.exe	93
PID 3132 wrote to memory of 2280	3132	@zxckostyan4ik_crypted.exe	93
PID 3132 wrote to memory of 2280	3132	@zxckostyan4ik_crypted.exe	93

C:\Users\Admin\AppData\Local\Temp\41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe
"C:\Users\Admin\AppData\Local\Temp\41e1ac9c4acfe3fbb09f212ef7f3534baa74413cf4830ad934a0ef435ddf1034.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Users\Admin\AppData\Local\Temp\@zxckostyan4ik_crypted.exe
  C:\Users\Admin\AppData\Local\Temp\@zxckostyan4ik_crypted.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    #cmd
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- C:\Users\Admin\AppData\Local\Temp\Smithianism.exe
  C:\Users\Admin\AppData\Local\Temp\Smithianism.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@zxckostyan4ik_crypted.exe

Filesize
506KB

MD5
52cbba6d520f8f9c3f5425824fb23f78

SHA1
d4fa4290fe4729ee0a924712ad0f1a3cd4f11506

SHA256
9dd44e1f1893d46a4fa68bd19a2ad6b49b87bd0f47432dd2497f2a1f0d32d560

SHA512
0fce8f90ed02b3cf15e09878d220f946e8900b409f4d7d894df11fe37db39d89769d55194738f0ba85b9c6de2e664f2bc0913b5b1426df1945cbdb8ac8611222

Download Submit
C:\Users\Admin\AppData\Local\Temp\@zxckostyan4ik_crypted.exe

Filesize
506KB

MD5
52cbba6d520f8f9c3f5425824fb23f78

SHA1
d4fa4290fe4729ee0a924712ad0f1a3cd4f11506

SHA256
9dd44e1f1893d46a4fa68bd19a2ad6b49b87bd0f47432dd2497f2a1f0d32d560

SHA512
0fce8f90ed02b3cf15e09878d220f946e8900b409f4d7d894df11fe37db39d89769d55194738f0ba85b9c6de2e664f2bc0913b5b1426df1945cbdb8ac8611222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smithianism.exe

Filesize
3.6MB

MD5
355a3913d57c678eaae265f11b9e4262

SHA1
96b85ab1767ad661f6f94e647899179c3e74c5a5

SHA256
7f4827e9d612ba8ab56b4122dc1ee018e8bb84e8a6918e8953d2eb101d824d3c

SHA512
e04e331774013ce12ab5cf184d371304272a236846d4c82835595c9572244115adca1dad2348e6780c07c73948b043db2f61504766f8aec578383719c280d363

Download Submit
memory/2128-38-0x0000021D38290000-0x0000021D382A2000-memory.dmp

Filesize
72KB

Download
memory/2128-40-0x00007FFAC2C10000-0x00007FFAC2E05000-memory.dmp

Filesize
2.0MB

Download
memory/2128-10-0x0000021D1BE00000-0x0000021D1C198000-memory.dmp

Filesize
3.6MB

Download
memory/2128-51-0x00007FFAC1A40000-0x00007FFAC1AEC000-memory.dmp

Filesize
688KB

Download
memory/2128-50-0x00007FFAA3E20000-0x00007FFAA48E1000-memory.dmp

Filesize
10.8MB

Download
memory/2128-32-0x0000021D1DE80000-0x0000021D1DE90000-memory.dmp

Filesize
64KB

Download
memory/2128-15-0x0000021D1DE60000-0x0000021D1DE7A000-memory.dmp

Filesize
104KB

Download
memory/2128-48-0x0000021D362B0000-0x0000021D362EC000-memory.dmp

Filesize
240KB

Download
memory/2128-47-0x0000021D36220000-0x0000021D36232000-memory.dmp

Filesize
72KB

Download
memory/2128-46-0x00007FFAC1A40000-0x00007FFAC1AEC000-memory.dmp

Filesize
688KB

Download
memory/2128-45-0x0000021D1DE80000-0x0000021D1DE90000-memory.dmp

Filesize
64KB

Download
memory/2128-44-0x00007FFAC1A40000-0x00007FFAC1AEC000-memory.dmp

Filesize
688KB

Download
memory/2128-42-0x00007FFAC03C0000-0x00007FFAC0689000-memory.dmp

Filesize
2.8MB

Download
memory/2128-41-0x00007FFAC2350000-0x00007FFAC240E000-memory.dmp

Filesize
760KB

Download
memory/2128-23-0x0000021D1DE80000-0x0000021D1DE90000-memory.dmp

Filesize
64KB

Download
memory/2128-24-0x0000021D1DE80000-0x0000021D1DE90000-memory.dmp

Filesize
64KB

Download
memory/2128-25-0x00007FFAA3E20000-0x00007FFAA48E1000-memory.dmp

Filesize
10.8MB

Download
memory/2128-39-0x0000021D39ED0000-0x0000021D3A39C000-memory.dmp

Filesize
4.8MB

Download
memory/2128-37-0x0000021D1DE80000-0x0000021D1DE90000-memory.dmp

Filesize
64KB

Download
memory/2128-36-0x0000021D1DE80000-0x0000021D1DE90000-memory.dmp

Filesize
64KB

Download
memory/2128-11-0x00007FFAA3E20000-0x00007FFAA48E1000-memory.dmp

Filesize
10.8MB

Download
memory/2128-14-0x0000021D1DE80000-0x0000021D1DE90000-memory.dmp

Filesize
64KB

Download
memory/2128-13-0x0000021D366C0000-0x0000021D369E0000-memory.dmp

Filesize
3.1MB

Download
memory/2128-31-0x0000021D1DE80000-0x0000021D1DE90000-memory.dmp

Filesize
64KB

Download
memory/2128-33-0x0000021D37F60000-0x0000021D38274000-memory.dmp

Filesize
3.1MB

Download
memory/2128-35-0x0000021D397B0000-0x0000021D399FE000-memory.dmp

Filesize
2.3MB

Download
memory/2280-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2280-22-0x0000000004E90000-0x0000000004EF6000-memory.dmp

Filesize
408KB

Download
memory/2280-27-0x0000000005720000-0x0000000005732000-memory.dmp

Filesize
72KB

Download
memory/2280-21-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/2280-26-0x0000000005FA0000-0x00000000065B8000-memory.dmp

Filesize
6.1MB

Download
memory/2280-34-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/2280-28-0x0000000005A90000-0x0000000005B9A000-memory.dmp

Filesize
1.0MB

Download
memory/2280-29-0x00000000059C0000-0x00000000059FC000-memory.dmp

Filesize
240KB

Download
memory/2280-30-0x0000000005A00000-0x0000000005A4C000-memory.dmp

Filesize
304KB

Download
memory/3132-20-0x00007FFAA3E20000-0x00007FFAA48E1000-memory.dmp

Filesize
10.8MB

Download
memory/3132-17-0x000000001BA90000-0x000000001BAAE000-memory.dmp

Filesize
120KB

Download
memory/3132-16-0x000000001CA00000-0x000000001CA76000-memory.dmp

Filesize
472KB

Download
memory/3132-9-0x00007FFAA3E20000-0x00007FFAA48E1000-memory.dmp

Filesize
10.8MB

Download
memory/3132-12-0x000000001BAB0000-0x000000001BAC0000-memory.dmp

Filesize
64KB

Download
memory/3132-5-0x0000000000DA0000-0x0000000000E22000-memory.dmp

Filesize
520KB

Download