shurk | 26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322

General

Target

26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe
Size

1.5MB
MD5

624cc456a092da6c9e6743ae6c8e23ae
SHA1

dce5d9d408802275eed56373aef0fd49053984e2
SHA256

26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322
SHA512

3e480419934d2c03e7499a9f79118638b6a8dd91ed744c08a5040c75a67ecd1d26cd64f6fba7070fcb32d2936991fd85e373fccd106d2dada9dbc599fbccbb11
SSDEEP

12288:anjVXpKgCPfJ5joXK2LUxv7VNdr1GI1xc8a+FwEwCGgRhde12kVSC4jkS695Dn19:YCHJ57xpLpLc8mEwCxL3kz9pn

Score

10^/10

shurk infostealer spyware stealer

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 9 IoCs

resource	yara_rule
behavioral1/memory/1956-64-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral1/memory/1956-66-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral1/memory/1956-68-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral1/memory/1956-69-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral1/memory/1956-71-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral1/memory/1956-72-0x00000000004494EA-mapping.dmp	shurk_stealer
behavioral1/memory/1956-75-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral1/memory/1956-76-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral1/memory/1956-77-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer

Executes dropped EXE 1 IoCs

pid	Process
1956	AddInProcess32.exe

Loads dropped DLL 1 IoCs

pid	Process
1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe
1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe
1956	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27
PID 1500 wrote to memory of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27
PID 1500 wrote to memory of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27
PID 1500 wrote to memory of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27
PID 1500 wrote to memory of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27
PID 1500 wrote to memory of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27
PID 1500 wrote to memory of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27
PID 1500 wrote to memory of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27
PID 1500 wrote to memory of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27
PID 1500 wrote to memory of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27
PID 1500 wrote to memory of 1956	1500	26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe	27

C:\Users\Admin\AppData\Local\Temp\26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe
"C:\Users\Admin\AppData\Local\Temp\26e8e4ec167b6ab37ae7070e7dfccc0182e5987c914e55e043c5704dd8a36322.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
  "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
memory/1500-54-0x0000000000100000-0x000000000028C000-memory.dmp

Filesize
1.5MB

Download
memory/1500-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1500-56-0x0000000002010000-0x0000000002036000-memory.dmp

Filesize
152KB

Download
memory/1500-57-0x0000000004470000-0x0000000004476000-memory.dmp

Filesize
24KB

Download
memory/1500-58-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download
memory/1500-59-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1956-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1956-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1956-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1956-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1956-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1956-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1956-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1956-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1956-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1956-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing