shurk | 30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09

Analysis

max time kernel
140s
max time network
164s
platform
windows7_x64
resource
win7-20220414-en
submitted
02-05-2022 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09.exe
Size

731KB
MD5

28874004a01799ba8395ce196e6cb0e0
SHA1

7837f1be070ce7a7f857a2eb225818780fd4a420
SHA256

30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09
SHA512

7bbfb6c523433b329b765a355f62d2df20c44ffd1cb4472a5674050867c77b45bc086102e25c3e3b6112a2477a9cb1ac0a10fb0b4fa186438557919c0438856b

Score

10^/10

shurk infostealer spyware stealer

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001231d-65.dat	shurk_stealer
behavioral1/files/0x000a00000001231d-66.dat	shurk_stealer
behavioral1/files/0x000a00000001231d-67.dat	shurk_stealer
behavioral1/files/0x000a00000001231d-69.dat	shurk_stealer

Executes dropped EXE 2 IoCs

pid	Process
976	xellonewyoousrbeen.sfx.exe
1792	xellonewyoousrbeen.exe

Loads dropped DLL 4 IoCs

pid	Process
320	cmd.exe
976	xellonewyoousrbeen.sfx.exe
976	xellonewyoousrbeen.sfx.exe
976	xellonewyoousrbeen.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1792	xellonewyoousrbeen.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1552	1500	30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09.exe	28
PID 1500 wrote to memory of 1552	1500	30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09.exe	28
PID 1500 wrote to memory of 1552	1500	30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09.exe	28
PID 1500 wrote to memory of 1552	1500	30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09.exe	28
PID 1552 wrote to memory of 320	1552	WScript.exe	29
PID 1552 wrote to memory of 320	1552	WScript.exe	29
PID 1552 wrote to memory of 320	1552	WScript.exe	29
PID 1552 wrote to memory of 320	1552	WScript.exe	29
PID 320 wrote to memory of 976	320	cmd.exe	31
PID 320 wrote to memory of 976	320	cmd.exe	31
PID 320 wrote to memory of 976	320	cmd.exe	31
PID 320 wrote to memory of 976	320	cmd.exe	31
PID 976 wrote to memory of 1792	976	xellonewyoousrbeen.sfx.exe	32
PID 976 wrote to memory of 1792	976	xellonewyoousrbeen.sfx.exe	32
PID 976 wrote to memory of 1792	976	xellonewyoousrbeen.sfx.exe	32
PID 976 wrote to memory of 1792	976	xellonewyoousrbeen.sfx.exe	32

C:\Users\Admin\AppData\Local\Temp\30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09.exe
"C:\Users\Admin\AppData\Local\Temp\30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bat.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.sfx.exe
      xellonewyoousrbeen.sfx.exe -pxellonewyoousrbeen.exe -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
71B

MD5
844274e64901102c45cd598a44d1d508

SHA1
07494226d0b4a605efc70591f2f5f71f3b287290

SHA256
2c0e210ec3bc7d33ee34deba20b867af0c356d2197120f38bdfc900fa11774a0

SHA512
6139d853208d61dff115334f1535994809c1f79f280efbc42146bf39f39ca7c97fd8346c9a004d59c186f1c524341ad02b516465f2fc52b5fcdee766978834d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs

Filesize
89B

MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.exe

Filesize
502KB

MD5
20a45d03d0efda64d3a550e13bdf659a

SHA1
239d865f85e2219706f6ae0525004755b8c6384c

SHA256
007a9b733ce579e9edb273813a12c269dd0807a335fffb4e584bab95115dd07e

SHA512
e24c1687a462b78a5431273b51fdcb96800f71f855fada47e822527acbf025f98a825648f79cc801e79b408078da59b00bd384d45070fd6664027e1eb46fdd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.sfx.exe

Filesize
567KB

MD5
c4ebee4e09dc7b5e8fe89ec368d8b13b

SHA1
3230b20e94cc8be564d16c12a6a9db6d2b0ad13d

SHA256
c5e5c5e17d79791742fa5be8c120eee740da1579c4083c10afeb63c2181ae161

SHA512
e4785e273f88677a2ba39af3cf755a13523881ccfbb3ad1c31da1437f19853b4f50b9bdc15891bb1029e69e92b05ed57f6d50368ffc1b02143402cac990f5c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.sfx.exe

Filesize
567KB

MD5
c4ebee4e09dc7b5e8fe89ec368d8b13b

SHA1
3230b20e94cc8be564d16c12a6a9db6d2b0ad13d

SHA256
c5e5c5e17d79791742fa5be8c120eee740da1579c4083c10afeb63c2181ae161

SHA512
e4785e273f88677a2ba39af3cf755a13523881ccfbb3ad1c31da1437f19853b4f50b9bdc15891bb1029e69e92b05ed57f6d50368ffc1b02143402cac990f5c3b

Download Submit
\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.exe

Filesize
502KB

MD5
20a45d03d0efda64d3a550e13bdf659a

SHA1
239d865f85e2219706f6ae0525004755b8c6384c

SHA256
007a9b733ce579e9edb273813a12c269dd0807a335fffb4e584bab95115dd07e

SHA512
e24c1687a462b78a5431273b51fdcb96800f71f855fada47e822527acbf025f98a825648f79cc801e79b408078da59b00bd384d45070fd6664027e1eb46fdd2e

Download Submit
\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.exe

Filesize
502KB

MD5
20a45d03d0efda64d3a550e13bdf659a

SHA1
239d865f85e2219706f6ae0525004755b8c6384c

SHA256
007a9b733ce579e9edb273813a12c269dd0807a335fffb4e584bab95115dd07e

SHA512
e24c1687a462b78a5431273b51fdcb96800f71f855fada47e822527acbf025f98a825648f79cc801e79b408078da59b00bd384d45070fd6664027e1eb46fdd2e

Download Submit
\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.exe

Filesize
502KB

MD5
20a45d03d0efda64d3a550e13bdf659a

SHA1
239d865f85e2219706f6ae0525004755b8c6384c

SHA256
007a9b733ce579e9edb273813a12c269dd0807a335fffb4e584bab95115dd07e

SHA512
e24c1687a462b78a5431273b51fdcb96800f71f855fada47e822527acbf025f98a825648f79cc801e79b408078da59b00bd384d45070fd6664027e1eb46fdd2e

Download Submit
\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.sfx.exe

Filesize
567KB

MD5
c4ebee4e09dc7b5e8fe89ec368d8b13b

SHA1
3230b20e94cc8be564d16c12a6a9db6d2b0ad13d

SHA256
c5e5c5e17d79791742fa5be8c120eee740da1579c4083c10afeb63c2181ae161

SHA512
e4785e273f88677a2ba39af3cf755a13523881ccfbb3ad1c31da1437f19853b4f50b9bdc15891bb1029e69e92b05ed57f6d50368ffc1b02143402cac990f5c3b

Download Submit
memory/1500-54-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download