Overview

overview

10

Static

static

3

AkebiLauncher.exe

windows7-x64

6

AkebiLauncher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    67s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-07-2023 17:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AkebiLauncher.exe

  • Size

    8.7MB

  • MD5

    346403dc2892f3f445123f001a6709cb

  • SHA1

    b59e5a76feeb079cdea6a4a39544175d9f8a4d70

  • SHA256

    e45e34b67a7c2a3073721b7f274087d9099289881c5701129b339ecfa9a6bf0a

  • SHA512

    0c90f77b60ae4b30a7310172b1b438613a0f328e6935f1e74f14b406f62929f3270254b7026923a8d650e5d50eb7241d1901d524833379f67acc48129b1236df

  • SSDEEP

    196608:zBRNqLt94ZYvkM/IuuVkEwu01+pYxfdkKZhYLN/ajKLt/G38Ck:zBcKZYvjwqECAIrZK5/ajx

Score
10/10
shurkinfostealerspywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AkebiLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\AkebiLauncher.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3880
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Detects videocard installed
        • Suspicious use of AdjustPrivilegeToken
        PID:1252
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2996
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ExportResume.bat" "
      1⤵
        PID:4416
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ExportResume.bat" "
        1⤵
          PID:1116

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3880-134-0x0000000002790000-0x00000000027A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3880-133-0x0000000075FF0000-0x00000000760E0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/3880-135-0x0000000075FF0000-0x00000000760E0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/3880-136-0x000000007F380000-0x000000007FB6A000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/3880-137-0x0000000006100000-0x00000000068B2000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3880-155-0x0000000075FF0000-0x00000000760E0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/3880-156-0x0000000006100000-0x00000000068B2000-memory.dmp

          Filesize

          7.7MB

          Download