Overview

overview

10

Static

static

3

78bc9c3553...f6.exe

windows7-x64

10

78bc9c3553...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    10-08-2023 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78bc9c35531a7e1a31af3bdff4083df6.exe

  • Size

    7.7MB

  • MD5

    78bc9c35531a7e1a31af3bdff4083df6

  • SHA1

    a679051cff10c802a126c25c42f12fefac857a31

  • SHA256

    108dd8675ad26778748b563a1f590fef6f9875d484002e3d48adb7268358263d

  • SHA512

    2a41f758b0da999e3d2afbe4c7f0f5b4d675dc643f866d4947b9570c9b8ccd6bc3ebf44a67c82633ae9992404c1e9a9ba0956712a451446a9e8ddd6fcc1ef526

  • SSDEEP

    196608:SdrOnwUbN9pdNqVWEwLnN+HDc/Up7sSpoVmPYYfW/:SVRUb5dN65ON+AMWS6VmlW/

Score
10/10
shurkinfostealerpersistencespywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • GoLang User-Agent 4 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78bc9c35531a7e1a31af3bdff4083df6.exe
    "C:\Users\Admin\AppData\Local\Temp\78bc9c35531a7e1a31af3bdff4083df6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\system32\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Detects videocard installed
        • Suspicious use of AdjustPrivilegeToken
        PID:2916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming/WinHoster
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3024
    • C:\Users\Admin\AppData\Roaming\WinHoster\winhoster.exe
      C:\Users\Admin\AppData\Roaming/WinHoster/winhoster.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\WinHoster\winhoster.exe
    Filesize

    185KB

    MD5

    39a3b5a48178b860ba3c69dfa191e974

    SHA1

    83b1a7f8851aa095b00705c6876ff33419618b80

    SHA256

    0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c

    SHA512

    a131c0866e5afd53ed53cd3b825c1a4b304547283923a33cc722984b147156db0e21c3df1142a353227260dac32cb2e7f136d1a9d93315cc9aa3673bf8602605

    Download Submit

  • memory/1080-54-0x0000000002000000-0x000000000277A000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1080-55-0x0000000002000000-0x000000000277A000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1080-56-0x000007FFFF7C0000-0x000007FFFFFA3000-memory.dmp

    Filesize

    7.9MB

    Download

  • memory/1080-88-0x0000000002000000-0x000000000277A000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1080-87-0x00000000010C0000-0x000000000187C000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3024-76-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3024-75-0x0000000002320000-0x0000000002328000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3024-79-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3024-80-0x0000000002740000-0x00000000027C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3024-81-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3024-77-0x0000000002740000-0x00000000027C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3024-78-0x0000000002740000-0x00000000027C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3024-74-0x000000001B320000-0x000000001B602000-memory.dmp

    Filesize

    2.9MB

    Download