gurcu | b371eae7b55688d307b653759c2d4ddfe3672eb7b5567bcfa9c3f75f5c6d6255

General

Target

Start.exe
Size

301KB
MD5

9a0e31ffbe7ecc3a2a6f968b2a8d5567
SHA1

e88e76fe96616649d2558923afe457ce3b1976ec
SHA256

b371eae7b55688d307b653759c2d4ddfe3672eb7b5567bcfa9c3f75f5c6d6255
SHA512

db64b27997e5305473572ee8a60573032e51fbfbdc48670d9adef8ba23c81e8845d073383299c94f87a0100c74ca0e6968b9f468fc46e31e221a71ad69a32749
SSDEEP

6144:S1eFfHQTBVVzJxmKg/R3xNJyZsMoONeL1Ip4w3qm:gPBV9JxmKE7JfVONUGqm

Score

10^/10

gurcu redline discovery infostealer stealer

Malware Config

Extracted

Family

redline

C2

65.108.29.210:21638

Attributes

auth_value
ad39d6a8ea7823f2a92f57ebaa4c98a5

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/8-8-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4180 set thread context of 8	4180	Start.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Start.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Start.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
8	Start.exe
8	Start.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	Start.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 8	4180	Start.exe	83
PID 4180 wrote to memory of 8	4180	Start.exe	83
PID 4180 wrote to memory of 8	4180	Start.exe	83
PID 4180 wrote to memory of 8	4180	Start.exe	83
PID 4180 wrote to memory of 8	4180	Start.exe	83
PID 4180 wrote to memory of 8	4180	Start.exe	83
PID 4180 wrote to memory of 8	4180	Start.exe	83
PID 4180 wrote to memory of 8	4180	Start.exe	83

C:\Users\Admin\AppData\Local\Temp\Start.exe
"C:\Users\Admin\AppData\Local\Temp\Start.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\Start.exe
  "C:\Users\Admin\AppData\Local\Temp\Start.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Start.exe.log

Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
memory/8-16-0x0000000006320000-0x0000000006938000-memory.dmp

Filesize
6.1MB

Download
memory/8-15-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/8-12-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/8-19-0x0000000005DD0000-0x0000000005E0C000-memory.dmp

Filesize
240KB

Download
memory/8-18-0x0000000005E90000-0x0000000005F9A000-memory.dmp

Filesize
1.0MB

Download
memory/8-17-0x0000000005D60000-0x0000000005D72000-memory.dmp

Filesize
72KB

Download
memory/8-14-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/8-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/8-11-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/8-20-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/4180-13-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/4180-3-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/4180-7-0x0000000005130000-0x000000000514E000-memory.dmp

Filesize
120KB

Download
memory/4180-2-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download
memory/4180-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

Filesize
4KB

Download
memory/4180-6-0x00000000051B0000-0x0000000005226000-memory.dmp

Filesize
472KB

Download
memory/4180-5-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/4180-4-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download
memory/4180-1-0x00000000003A0000-0x00000000003F0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing