shurk | 13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309

General

Target

13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309.exe
Size

737KB
MD5

549ff20a80778cb9367e1bf98950ed2c
SHA1

faf24d282d0fe762e9094d77f2c9823490dcc776
SHA256

13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309
SHA512

6e94a4b95b37ead2cac4dea2a23af5f11e02ae450fded489b5af720615e6c4699723105af20979c5c7cc4b11fab2c10717e668bfa09820681d6d77f0eb91f95b

Score

10^/10

shurk infostealer spyware stealer

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000122d0-62.dat	shurk_stealer
behavioral1/files/0x000a0000000122d0-63.dat	shurk_stealer
behavioral1/files/0x000a0000000122d0-64.dat	shurk_stealer
behavioral1/files/0x000a0000000122d0-65.dat	shurk_stealer

Executes dropped EXE 2 IoCs

pid	Process
1428	SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe
1656	SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.exe

Loads dropped DLL 4 IoCs

pid	Process
1272	cmd.exe
1428	SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe
1428	SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe
1428	SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1656	SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1460	912	13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309.exe	27
PID 912 wrote to memory of 1460	912	13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309.exe	27
PID 912 wrote to memory of 1460	912	13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309.exe	27
PID 912 wrote to memory of 1460	912	13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309.exe	27
PID 1460 wrote to memory of 1272	1460	WScript.exe	28
PID 1460 wrote to memory of 1272	1460	WScript.exe	28
PID 1460 wrote to memory of 1272	1460	WScript.exe	28
PID 1460 wrote to memory of 1272	1460	WScript.exe	28
PID 1272 wrote to memory of 1428	1272	cmd.exe	30
PID 1272 wrote to memory of 1428	1272	cmd.exe	30
PID 1272 wrote to memory of 1428	1272	cmd.exe	30
PID 1272 wrote to memory of 1428	1272	cmd.exe	30
PID 1428 wrote to memory of 1656	1428	SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe	31
PID 1428 wrote to memory of 1656	1428	SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe	31
PID 1428 wrote to memory of 1656	1428	SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe	31
PID 1428 wrote to memory of 1656	1428	SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe	31

C:\Users\Admin\AppData\Local\Temp\13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309.exe
"C:\Users\Admin\AppData\Local\Temp\13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bat.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe
      SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe -pSSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.exe -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Users\Admin\AppData\Local\Temp\SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing