Overview

overview

10

Static

static

3

Launcher.exe

windows7-x64

10

Launcher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    266s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2023 02:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Launcher.exe

  • Size

    11.5MB

  • MD5

    525eca0e85c3325eca5b5b3cfeacd241

  • SHA1

    809ff78b0c5a587672f993c6a15c98bdd36141c3

  • SHA256

    9f77929368d4760cdf6a905141622bce67b5c2e13f14b2e12ac8b658108ccdbb

  • SHA512

    c815f1393d61e4743317cbbaa2aec8d917e0cc20990b5afa8a5960db703bbbbb1c257d0322d301f15f933cb7a9bf07d7de927663a34420ff892a81ca3227c320

  • SSDEEP

    49152:+qRnLGu+sHczMYNYEBBMaS3H5KCKsntU6ZKC9sBcRLr1+ar9SgVfB1LlGrGOjk1s:sug

Score
10/10
shurkinfostealerpersistencespywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • GoLang User-Agent 4 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Windows\system32\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Detects videocard installed
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming/WinHoster
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3600
    • C:\Users\Admin\AppData\Roaming\WinHoster\winhoster.exe
      C:\Users\Admin\AppData\Roaming/WinHoster/winhoster.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nov3a4dz.iuo.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WinHoster\winhoster.exe
    Filesize

    185KB

    MD5

    39a3b5a48178b860ba3c69dfa191e974

    SHA1

    83b1a7f8851aa095b00705c6876ff33419618b80

    SHA256

    0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c

    SHA512

    a131c0866e5afd53ed53cd3b825c1a4b304547283923a33cc722984b147156db0e21c3df1142a353227260dac32cb2e7f136d1a9d93315cc9aa3673bf8602605

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WinHoster\winhoster.exe
    Filesize

    185KB

    MD5

    39a3b5a48178b860ba3c69dfa191e974

    SHA1

    83b1a7f8851aa095b00705c6876ff33419618b80

    SHA256

    0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c

    SHA512

    a131c0866e5afd53ed53cd3b825c1a4b304547283923a33cc722984b147156db0e21c3df1142a353227260dac32cb2e7f136d1a9d93315cc9aa3673bf8602605

    Download Submit

  • memory/3596-137-0x00007FF430F70000-0x00007FF4317B8000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3596-138-0x000001B2F94B0000-0x000001B2F9C8F000-memory.dmp

    Filesize

    7.9MB

    Download

  • memory/3596-178-0x000001B2F94B0000-0x000001B2F9C8F000-memory.dmp

    Filesize

    7.9MB

    Download

  • memory/3596-136-0x000001B2F94B0000-0x000001B2F9C8F000-memory.dmp

    Filesize

    7.9MB

    Download

  • memory/3600-167-0x0000015C74160000-0x0000015C74170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3600-169-0x0000015C74160000-0x0000015C74170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3600-170-0x0000015C74160000-0x0000015C74170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3600-173-0x00007FFA57970000-0x00007FFA58431000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3600-168-0x0000015C74160000-0x0000015C74170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3600-166-0x00007FFA57970000-0x00007FFA58431000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3600-156-0x0000015C740A0000-0x0000015C740C2000-memory.dmp

    Filesize

    136KB

    Download