Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
11-07-2023 08:47
Static task
static1
Behavioral task
behavioral1
Sample
Rust Hack.exe
Resource
win10-20230703-en
Behavioral task
behavioral2
Sample
Rust Hack.exe
Resource
win7-20230703-en
Behavioral task
behavioral3
Sample
Rust Hack.exe
Resource
win10v2004-20230703-en
General
-
Target
Rust Hack.exe
-
Size
7.0MB
-
MD5
a3c7d3b14f27d4426e9b4f4c578b4af1
-
SHA1
56422509d3cd442311e7961dabd6222697461e64
-
SHA256
57aa4872adba9a733f5ce772f4a4bfd579210656323d000a44107a96ba736cdf
-
SHA512
0de1ef356b5dae03760f47fc80cc4f6e467a9aef0839b400d545e182a204f630f6f5bab3872d880702061026621b0d04b5c86f58138819a7859f75e09322268b
-
SSDEEP
98304:eoFcATF6PTOsDqB2NHFMrVQBB3S3en5IXkHt+07GNlf6NGnAC053zfVjOTHif:eoFNJ6PTOsDqQPmQ2W3807ElbACY8TC
Malware Config
Signatures
-
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
-
Shurk Stealer payload 3 IoCs
resource yara_rule behavioral1/memory/2504-120-0x0000000000400000-0x0000000000C71000-memory.dmp shurk_stealer behavioral1/memory/2504-131-0x0000000000400000-0x0000000000C71000-memory.dmp shurk_stealer behavioral1/memory/2504-132-0x0000000000400000-0x0000000000C71000-memory.dmp shurk_stealer -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2504-120-0x0000000000400000-0x0000000000C71000-memory.dmp upx behavioral1/memory/2504-131-0x0000000000400000-0x0000000000C71000-memory.dmp upx behavioral1/memory/2504-132-0x0000000000400000-0x0000000000C71000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 checkip.amazonaws.com -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 5020 WMIC.exe -
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 HTTP User-Agent header 4 Go-http-client/1.1 HTTP User-Agent header 7 Go-http-client/1.1 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5020 WMIC.exe Token: SeSecurityPrivilege 5020 WMIC.exe Token: SeTakeOwnershipPrivilege 5020 WMIC.exe Token: SeLoadDriverPrivilege 5020 WMIC.exe Token: SeSystemProfilePrivilege 5020 WMIC.exe Token: SeSystemtimePrivilege 5020 WMIC.exe Token: SeProfSingleProcessPrivilege 5020 WMIC.exe Token: SeIncBasePriorityPrivilege 5020 WMIC.exe Token: SeCreatePagefilePrivilege 5020 WMIC.exe Token: SeBackupPrivilege 5020 WMIC.exe Token: SeRestorePrivilege 5020 WMIC.exe Token: SeShutdownPrivilege 5020 WMIC.exe Token: SeDebugPrivilege 5020 WMIC.exe Token: SeSystemEnvironmentPrivilege 5020 WMIC.exe Token: SeRemoteShutdownPrivilege 5020 WMIC.exe Token: SeUndockPrivilege 5020 WMIC.exe Token: SeManageVolumePrivilege 5020 WMIC.exe Token: 33 5020 WMIC.exe Token: 34 5020 WMIC.exe Token: 35 5020 WMIC.exe Token: 36 5020 WMIC.exe Token: SeIncreaseQuotaPrivilege 5020 WMIC.exe Token: SeSecurityPrivilege 5020 WMIC.exe Token: SeTakeOwnershipPrivilege 5020 WMIC.exe Token: SeLoadDriverPrivilege 5020 WMIC.exe Token: SeSystemProfilePrivilege 5020 WMIC.exe Token: SeSystemtimePrivilege 5020 WMIC.exe Token: SeProfSingleProcessPrivilege 5020 WMIC.exe Token: SeIncBasePriorityPrivilege 5020 WMIC.exe Token: SeCreatePagefilePrivilege 5020 WMIC.exe Token: SeBackupPrivilege 5020 WMIC.exe Token: SeRestorePrivilege 5020 WMIC.exe Token: SeShutdownPrivilege 5020 WMIC.exe Token: SeDebugPrivilege 5020 WMIC.exe Token: SeSystemEnvironmentPrivilege 5020 WMIC.exe Token: SeRemoteShutdownPrivilege 5020 WMIC.exe Token: SeUndockPrivilege 5020 WMIC.exe Token: SeManageVolumePrivilege 5020 WMIC.exe Token: 33 5020 WMIC.exe Token: 34 5020 WMIC.exe Token: 35 5020 WMIC.exe Token: 36 5020 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2504 wrote to memory of 3184 2504 Rust Hack.exe 72 PID 2504 wrote to memory of 3184 2504 Rust Hack.exe 72 PID 3184 wrote to memory of 5020 3184 cmd.exe 73 PID 3184 wrote to memory of 5020 3184 cmd.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rust Hack.exe"C:\Users\Admin\AppData\Local\Temp\Rust Hack.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-