Overview

overview

10

Static

static

3

Launcher.exe

windows7-x64

10

Launcher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    11-08-2023 02:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Launcher.exe

  • Size

    11.5MB

  • MD5

    525eca0e85c3325eca5b5b3cfeacd241

  • SHA1

    809ff78b0c5a587672f993c6a15c98bdd36141c3

  • SHA256

    9f77929368d4760cdf6a905141622bce67b5c2e13f14b2e12ac8b658108ccdbb

  • SHA512

    c815f1393d61e4743317cbbaa2aec8d917e0cc20990b5afa8a5960db703bbbbb1c257d0322d301f15f933cb7a9bf07d7de927663a34420ff892a81ca3227c320

  • SSDEEP

    49152:+qRnLGu+sHczMYNYEBBMaS3H5KCKsntU6ZKC9sBcRLr1+ar9SgVfB1LlGrGOjk1s:sug

Score
10/10
shurkinfostealerpersistencespywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • GoLang User-Agent 4 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\system32\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Detects videocard installed
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming/WinHoster
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Users\Admin\AppData\Roaming\WinHoster\winhoster.exe
      C:\Users\Admin\AppData\Roaming/WinHoster/winhoster.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\WinHoster\winhoster.exe
    Filesize

    185KB

    MD5

    39a3b5a48178b860ba3c69dfa191e974

    SHA1

    83b1a7f8851aa095b00705c6876ff33419618b80

    SHA256

    0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c

    SHA512

    a131c0866e5afd53ed53cd3b825c1a4b304547283923a33cc722984b147156db0e21c3df1142a353227260dac32cb2e7f136d1a9d93315cc9aa3673bf8602605

    Download Submit

  • memory/2300-54-0x0000000029030000-0x000000002980F000-memory.dmp

    Filesize

    7.9MB

    Download

  • memory/2300-56-0x0000000029030000-0x000000002980F000-memory.dmp

    Filesize

    7.9MB

    Download

  • memory/2300-55-0x000007FFFF760000-0x000007FFFFFA8000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2300-88-0x0000000029030000-0x000000002980F000-memory.dmp

    Filesize

    7.9MB

    Download

  • memory/2844-77-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2844-76-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2844-78-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2844-79-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2844-80-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2844-81-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2844-82-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2844-75-0x0000000002490000-0x0000000002498000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2844-74-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

    Filesize

    2.9MB

    Download