shurk | 6ca2a5f5dc6c5cce325bb75cfd32f662d1fa394cd55cc1ab435b510a9c201351

General

Target

6ca2a5f5dc6c5cce325bb75cfd32f662d1fa394cd55cc1ab435b510a9c201351.exe
Size

732KB
MD5

81adb2ef2270ab5b212b223738122121
SHA1

e3098ffdd203f72d4a146bfdbbe19a99969183e0
SHA256

6ca2a5f5dc6c5cce325bb75cfd32f662d1fa394cd55cc1ab435b510a9c201351
SHA512

0cd2cec5972912501a1c0a474de80046ab40f1399ce0dd98984912b95d3178b4a3499a8b54caba684eb43df45b3679ff1592497fb30e7e6a6aa8e13debc08278

Score

10^/10

shurk infostealer spyware stealer

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0004000000000729-141.dat	shurk_stealer
behavioral2/files/0x0004000000000729-142.dat	shurk_stealer

Executes dropped EXE 2 IoCs

pid	Process
1892	xlendersbengengsleleje.sfx.exe
4612	xlendersbengengsleleje.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	6ca2a5f5dc6c5cce325bb75cfd32f662d1fa394cd55cc1ab435b510a9c201351.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	xlendersbengengsleleje.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	6ca2a5f5dc6c5cce325bb75cfd32f662d1fa394cd55cc1ab435b510a9c201351.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4612	xlendersbengengsleleje.exe
4612	xlendersbengengsleleje.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 5104	1344	6ca2a5f5dc6c5cce325bb75cfd32f662d1fa394cd55cc1ab435b510a9c201351.exe	80
PID 1344 wrote to memory of 5104	1344	6ca2a5f5dc6c5cce325bb75cfd32f662d1fa394cd55cc1ab435b510a9c201351.exe	80
PID 1344 wrote to memory of 5104	1344	6ca2a5f5dc6c5cce325bb75cfd32f662d1fa394cd55cc1ab435b510a9c201351.exe	80
PID 5104 wrote to memory of 1260	5104	WScript.exe	81
PID 5104 wrote to memory of 1260	5104	WScript.exe	81
PID 5104 wrote to memory of 1260	5104	WScript.exe	81
PID 1260 wrote to memory of 1892	1260	cmd.exe	83
PID 1260 wrote to memory of 1892	1260	cmd.exe	83
PID 1260 wrote to memory of 1892	1260	cmd.exe	83
PID 1892 wrote to memory of 4612	1892	xlendersbengengsleleje.sfx.exe	84
PID 1892 wrote to memory of 4612	1892	xlendersbengengsleleje.sfx.exe	84
PID 1892 wrote to memory of 4612	1892	xlendersbengengsleleje.sfx.exe	84

C:\Users\Admin\AppData\Local\Temp\6ca2a5f5dc6c5cce325bb75cfd32f662d1fa394cd55cc1ab435b510a9c201351.exe
"C:\Users\Admin\AppData\Local\Temp\6ca2a5f5dc6c5cce325bb75cfd32f662d1fa394cd55cc1ab435b510a9c201351.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bat.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\xlendersbengengsleleje.sfx.exe
      xlendersbengengsleleje.sfx.exe -pxlendersbengengsleleje.exe -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\xlendersbengengsleleje.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xlendersbengengsleleje.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
79B

MD5
5f42fe1fe138470e0cc4dee2cfc14223

SHA1
ce811c313a18abb9a429009c3916a2e001de3f00

SHA256
8834097b1b01fe06d94d03707e42a75067386e0d48d1d4a32e5e113276c49202

SHA512
feb19a8542fc999e54dc22e19b9ab7b4dfe14192edaa23b865e973fe6a72ef896d817bdbe2a9ac10f4b3c64bbe9d3c4a663cab7a5248c6809da2450ab9e3e108

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs

Filesize
89B

MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlendersbengengsleleje.exe

Filesize
499KB

MD5
ed5e8fc1768b2a5f12d982a3508a87ff

SHA1
3e0d2e97dd7febefa73da256952c25eb65582738

SHA256
8a71ef04902b9e033cbd298ba3cee7bb4bf4bef59e272963f28498980b32edfb

SHA512
74b8efa488615c7787cd3e20f675cb451400bd28030d39fb8b6cc28353edf086f28d74571b3c5682f297cbe46fb1da03f605e6f22f4ab7c7a4fc3d1b1b728d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlendersbengengsleleje.exe

Filesize
499KB

MD5
ed5e8fc1768b2a5f12d982a3508a87ff

SHA1
3e0d2e97dd7febefa73da256952c25eb65582738

SHA256
8a71ef04902b9e033cbd298ba3cee7bb4bf4bef59e272963f28498980b32edfb

SHA512
74b8efa488615c7787cd3e20f675cb451400bd28030d39fb8b6cc28353edf086f28d74571b3c5682f297cbe46fb1da03f605e6f22f4ab7c7a4fc3d1b1b728d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlendersbengengsleleje.sfx.exe

Filesize
568KB

MD5
624f029a60cc3a3e0533d66ba8c45930

SHA1
e0cfef3f1ee8c44cad1597958a4907ae45dd4294

SHA256
2ec3b0e7ab63c74bdfd281c92f175af7a39eab57fa6a659e51444a82979e066b

SHA512
95cb7add1d98433cbffb5a6626e77515b9cfebda9f4b71a10850de30620a105d7594e3ee2f51e93e08d456fa1fe08716afff01240d34ffb79eb9d92fb4b644e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlendersbengengsleleje.sfx.exe

Filesize
568KB

MD5
624f029a60cc3a3e0533d66ba8c45930

SHA1
e0cfef3f1ee8c44cad1597958a4907ae45dd4294

SHA256
2ec3b0e7ab63c74bdfd281c92f175af7a39eab57fa6a659e51444a82979e066b

SHA512
95cb7add1d98433cbffb5a6626e77515b9cfebda9f4b71a10850de30620a105d7594e3ee2f51e93e08d456fa1fe08716afff01240d34ffb79eb9d92fb4b644e8

Download Submit

Analysis

Sharing