New Advanced Stealer (SHUYAL) Targets Credentials Across 19 Popular Browsers

 Author(s): Vlad Pasca

• New advanced stealer analyzed though Hybrid Analysis and named 'SHUYAL' 
• Hybrid Analysis report reveals the stealer can grab credentials from 19 different web browsers (Chrome, Brave, Edge, Opera, OperaGx, Yandex, Vivaldi, Chromium, Waterfox, Tor, Epic, Comodo, Slimjet, Coccoc, Maxthon, 360browser, Ur, Avast and Falkon)
• SHUYAL features advanced evasion tactics, featuring self-deletion capabilities and sophisticated anti-detection mechanisms, including automatic Task Manager disablement
• The stealer employs modern exfiltration methods, combining Discord token theft with Telegram-based data exfiltration 

Hybrid Analysis has analyzed a sophisticated new information stealer that combines extensive credential theft capabilities with advanced system reconnaissance and evasion tactics. Named SHUYAL based on unique identifiers discovered in the executable's PDB path, this previously undocumented stealer demonstrates comprehensive browser targeting, grabbing credentials from 19 different browsers ranging from mainstream applications like Chrome and Edge to privacy-focused options such as Tor.

Analysis shows SHUYAL performing thorough system reconnaissance, gathering detailed information about disk drives, input devices, and display configurations. The malware employs aggressive defense evasion techniques, including the automatic termination and subsequent disabling of Windows Task Manager. Beyond credential theft, SHUYAL captures system screenshots and clipboard content, exfiltrating this data alongside stolen Discord tokens through a Telegram bot infrastructure. The malware maintains operational stealth through self-deletion mechanisms, removing traces of its activity using a batch file after completing its primary functions.

This research presents a detailed technical analysis of SHUYAL, documenting its capabilities and behaviors through comprehensive Hybrid Analysis indicators, combined with in-depth technical analysis of a publicly available sample.

A Hybrid Analysis Perspective

We’ve named this stealer SHUYAL based on the PDB path extracted from the executable. As we can see in the Hybrid Analysis report, the path also reveals the “sheepy” username:

Figure 1 - PDB path extracted in the Hybrid Analysis report

The malware disables Windows Task Manager on the machine by modifying the “DisableTaskMgr” registry value (see Figure 2).

Figure 2 - Disabling Windows Task Manager

The stealer tries to access login credentials from a list of browsers, including Google Chrome, Opera and Microsoft Edge. The entire list will be presented in the technical analysis.

Figure 3 - Multiple browsers are targeted by the stealer

Spawning multiple processes (as highlighted below), SHUYAL retrieves the model and serial number of the available disk drives, information about the keyboard and mouse installed on the machine, and details about the monitor attached to the computer. The last command (“wmic get name”) is incomplete and doesn’t return any useful information.

 Figure 4 - Multiple processes retrieve information about the infected host

Figure 5 from the Hybrid Analysis report reveals that the process uses PowerShell to compress a folder from the “%TEMP%” directory. The folder contains information to be exfiltrated, as we’ll see in the upcoming sections.

Figure 5 - Create an archive to be exfiltrated using PowerShell

The stealer performs data exfiltration via a Telegram bot (Figure 6).

Figure 6 - Data exfiltration occurs via Telegram

The malware is very stealthy because it deletes the newly created files from the browsers’ databases and all files from the “runtime” directory that were previously exfiltrated:

Figure 7 - Malware deletes the created files for stealthiness

The malicious process extracts the path of the Desktop Wallpaper using PowerShell, as shown in the figure below.

Figure 8 - Extract the path of the Desktop Wallpaper

A Deeper Dive into SHUYAL

The binary creates an anonymous pipe via a call to CreatePipe. The pipe will be used to read the output of the processes to be spawned:

Figure 9 - CreatePipe API call

Reconnaissance

The stealer performs reconnaissance by creating multiple processes:

• wmic diskdrive get model,serialnumber (retrieve the model and serial number of the available disk drives)
• wmic path Win32_Keyboard get Description,DeviceID (retrieve information about the keyboard)
• wmic path Win32_PointingDevice get Description,PNPDeviceID (created twice, retrieve information about the mouse)
• wmic path Win32_DesktopMonitor get Description,PNPDeviceID (retrieve details about the monitor attached to the computer)
• wmic get name (returns an error)
• powershell -command “(Get-ItemProperty 'HKCU:\Control Panel\Desktop').Wallpaper” (retrieve the path of the Desktop Wallpaper)

Figure 10 - Obtain information about the machine

The malware enumerates the running processes looking for the Task Manager process. If found, it is killed by calling the TerminateProcess method (see Figure 11).

Figure 11 - Task Manager process is stopped

The process disables Task Manager by modifying the “DisableTaskMgr” registry value to 1, as highlighted below:

Figure 12 - Disable Task Manager by modifying a registry value

Persistence

SHUYAL obtains the user’s Startup folder using the SHGetSpecialFolderPathA API (0x7 = CSIDL_STARTUP):

Figure 13 - SHGetSpecialFolderPathA API call

The malware establishes persistence by self-copying to the Startup folder via a function call to CopyFileA. We can also observe the strings that appear in the code, confirming the success/failure of the operation.

Figure 14 - Copy operation to the Startup folder

The stealer obtains a handle to the standard output device and adds the ENABLE_ECHO_INPUT mode to the output mode:

Figure 15 - Modify the console mode

Data stealing

SHUYAL attempts to locate the “Login Data” file, which stores login data (including usernames and URLs), for the following browsers: Chrome, Brave, Edge, Opera, OperaGx, Yandex, Vivaldi, Chromium, Waterfox, Tor, Epic, Comodo, Slimjet, Coccoc, Maxthon, 360browser, Ur, Avast and Falkon.

Figure 16 - GetFileAttributesExW API call

The identified files are copied to the current directory of the malware. For example, the file corresponding to Chrome is copied as “chrome_Data.db” (Figure 17).

Figure 17 - Copy targeted databases to the current directory

The following SQL query is executed, "SELECT origin_url, username_value, password_value FROM logins". The encrypted passwords will be decrypted and stored in a newly created file called “saved_passwords.txt” found in the “runtime” directory created in the temporary folder. The decryption works by extracting the Master key from the “Local State” file, base64-decode the key, and then decrypt it using the DPAPI CryptUnprotectData. The Master key can be used to decrypt the browser credentials. The browsing history is extracted from “\User Data\Default\History” and saved as “history.txt” in the same directory. Figure 18 presents the SQL query that is executed:

Figure 18 - SQL query execution

The process extracts data from the clipboard using the OpenClipboard and GetClipboardData functions. It is saved in a file called “clipboard.txt”:

Figure 19 - Extract data from the clipboard

Figure 20 - Data is saved in a file called clipboard.txt

The stealer takes a screenshot using the GdiplusStartup, BitBlt, and GdipSaveImageToFile APIs, and saves it in a file called “ss.png”:

Figure 21 - APIs used to take the screenshot

Figure 22 - GdipSaveImageToFile function call

It also steals tokens from Discord, Discord Canary, and Discord PTB (Figure 23).

Figure 23 - Malware steals tokens from Discord applications

The malware creates a log file called “debug_log.txt” that contains information about the targeted browsers and other applications:

Figure 24 - Content of the log file

Data exfiltration

The malicious executable compresses the “runtime” directory containing files to be exfiltrated to an archive called “runtime.zip” using PowerShell, as shown in the figure below.

Figure 25 - Folder to be exfiltrated is compressed to an archive

The archive is exfiltrated to the following Telegram bot:

Figure 26 - Telegram bot

WSAEnumNetworkEvents is utilized to discover occurrences of network events for a socket:

Figure 27 - WSAEnumNetworkEvents API call

After finishing the malicious activity, the stealer performs self-deletion using a batch file called “util.bat”:

Figure 28 - Content of the self-deletion batch script

Figure 29 - Execution of the newly created batch file

SHUYAL Through the Eyes of Hybrid Analysis

The Hybrid Analysis report identifies multiple behavioral patterns and indicators that clearly classify SHUYAL as a new,  information-stealing malware. For example, it highlights that the sample obtains login credentials from a list of browsers, including Google Chrome, Opera, Edge and others. Our in-depth technical analysis extends beyond behavioral observations to examine SHUYAL's core functionality, enabling the development of more effective detection and defense mechanisms.

Hybrid Analysis is a powerful platform for identifying and analyzing malware, whether mundane or highly sophisticated. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.

Indicators of Compromise

SHA256

810d4850ee216df639648a37004a0d4d1275a194924fa53312d3403be97edf5c

Files created

C:\Users\<User>\AppData\Local\Temp\runtime\browser\debug_log.txt

C:\Users\<User>\AppData\Local\Temp\runtime\browser\tokens.txt

C:\Users\<User>\AppData\Local\Temp\runtime\clipboard\clipboard.txt

C:\Users\<User>\AppData\Local\Temp\runtime\history\history.txt

C:\Users\<User>\AppData\Local\Temp\runtime\passwords\saved_passwords.txt

C:\Users\<User>\AppData\Local\Temp\runtime\pic\ss.png

C:\Users\<User>\AppData\Local\Temp\runtime.zip

util.bat

Processes spawned

wmic diskdrive get model,serialnumber

wmic path Win32_Keyboard get Description,DeviceID

wmic path Win32_PointingDevice get Description,PNPDeviceID

wmic path Win32_DesktopMonitor get Description,PNPDeviceID

wmic get name

powershell -command "(Get-ItemProperty 'HKCU:\Control Panel\Desktop').Wallpaper”

powershell -Command “Compress-Archive -Path ‘C:\Users\<User>\AppData\Local\Temp\runtime\*’ -DestinationPath ‘C:\Users\<User>\AppData\Local\Temp\runtime.zip’ -Force

Telegram Bot

hxxps[:]//api.telegram[.]org/bot7522684505:AAEODeii83B_nlpLi0bUQTnOtVdjc8yHfjQ/sendDocument?chat_id=-1002503889864

Shuffling the Greatest Hits: How DragonForce Ransomware Samples LockBit and Conti Into a Ransomware Jukebox

Author(s): Vlad Pasca

• DragonForce ransomware deploys payloads derived from leaked LockBit3.0 and Conti source code
• DragonForce logs all its activity in an encrypted log file stored in the Public directory 
• The new ransomware employs the "stack strings" obfuscation technique to hide information 
• The encryption percentage of a file is determined by both file size and whether the extension is included in the ransomware's targeted list 
• DragonForce ransomware uses the ChaCha8 algorithm, with the encryption key and nonce protected by the public RSA key

DragonForce ransomware has been assessed as a sophisticated threat that tactically deploys payloads derived from leaked source code of both the notorious LockBit 3.0 and Conti ransomware families. While the samples share some similar core functionality, DragonForce distinguishes itself in several unique ways.

Hybrid Analysis research reveals that DragonForce employs the "stack strings" obfuscation technique to hide sensitive information from security tools and analysts, making detection and analysis efforts difficult. When targeting systems, it also implements a selective encryption strategy where the encryption percentage of a file varies based on both file size and whether the file extension appears on its predetermined target list.

The DragonForce sample analyzed by Hybrid Analysis uses the ChaCha8 algorithm for file encryption while protecting the encryption keys and nonce values with RSA encryption to prevent recovery. This combination of proven encryption methods with obfuscation and targeting strategies makes DragonForce a concerning evolution in the ransomware landscape.

The following analysis provides a comprehensive view of DragonForce ransomware's capabilities through both behavioral observations using Hybrid Analysis and in-depth technical analysis of a publicly available sample.

A Hybrid Analysis Perspective

A quick glance at the Hybrid Analysis report reveals the malware has the ability to import cryptographic keys (for example, public RSA keys), which is a telltale sign of ransomware behavior:

Figure 1 - CryptImportKey API is used 

Using Yara rules, the sandbox environment detected that DragonForce implements the ChaCha encryption algorithm, as shown in the following output:

Figure 2 - ChaCha algorithm identified

As shown in Figure 3, the DragonForce ransomware leverages the NetShareEnum API to discover and target network shares for encryption.

Figure 3 - Network shares could be encrypted by the ransomware

In the same Hybrid Analysis report, we notice the malware’s use of FindFirstFileW and FindNextFileW functions. This strongly suggests file enumeration behavior typical of ransomware preparing to encrypt all accessible drives:

Figure 4 - The presence of both APIs indicates file enumeration

A Deeper Dive Into DragonForce

Defense Evasion

The DragonForce ransomware binary employs “stack strings” obfuscation, a technique where encrypted strings are stored on the stack and only decrypted to an array allocated at runtime. This approach helps to evade static analysis and signature-based detection.

Figure 5 - Stack strings are decrypted using multiple operations

Figure 6 - Plaintext string after decryption

As shown in Figure 7, DragonForce  maps multiple DLLs into the address space of the current process using the CreateFileMappingW and MapViewOfFile APIs. The following DLLs were mapped: kernel32.dll, ws2_32.dll, advapi32.dll, RstrtMgr.dll, ole32.dll, netapi32.dll, IPHLPAPI.dll, shlwapi.dll, shell32.dll, and ntdll.dll. The malware uses the content of those fresh-mapped DLLs as a bypass technique, in order to replace the hooks placed from security vendors in the above DLLs.

Figure 7 - Mapping DLLs

The malware verifies if one of the DLLs listed above contains hooks in one of its functions; if so, it modifies the protection of the function code to 0x40 (PAGE_EXECUTE_READWRITE) and writes the unhooked code from the fresh-mapped DLLs (so not hooked). It then restores the old memory protection, as highlighted below:

Figure 8 - Remove the installed hooks

The ransomware decrypts a predefined list of folders and file extensions that will be excluded from encryption. This selective targeting is intentional, as the malware deliberately avoids encrypting critical system files to ensure the compromised machine remains operational:

• Excluded folders: "tmp, winnt, temp, thumb, $Recycle.Bin, $RECYCLE.BIN, System Volume Information, Boot, Windows, perflogs, Public" 
• Excluded files extensions: “.exe, .dll, .lnk, .sys, .msi, .bat”

The ransomware terminates specific processes to prevent file-locking conflicts that would interfere with its encryption routine. The full list of processes can be found in the Appendix.

Figure 9 - Processes to kill

DragonForce extracts the command-line parameters and compares them with the following list: “-p”, “-m”, “-log”, “-size”, and “-nomutex”. The list is the same as the one used by the Conti ransomware, which may suggest that DragonForce could be developed using Conti’s leaked source code.

Figure 10 - Command-line parameters are compared with a list

DragonForce maintains operational logs by writing encrypted activity records to a file named “log.log” stored in the Public directory. This encrypted logging mechanism helps conceal the ransomware's actions while providing detailed execution information. 

The malware uses OpenProcessToken to open the access token associated with the current process (0x8 = TOKEN_QUERY):

Figure 11 - OpenProcessToken API call

Afterward,  the malicious process retrieves the username from the above token using the GetTokenInformation and LookupAccountSidW methods:

Figure 12 - Username retrieval

It then proceeds to create two new threads that will handle the killing of the targeted processes:

Figure 13 - New threads are created to stop the targeted processes

To ensure that only one copy is running at a single time (Figure 14),  DragonFore creates a mutex called “hsfjuukjzloqu28oajh727190”.

Figure 14 - Named mutex is created

To speed up the file system encryption operations, the executable creates multiple threads, equal to the number of processors  (obtained via a function call to GetNativeSystemInfo) times two:

Figure 15 - Encryption threads

The sample searches for the “explorer.exe” process through the running processes using Process32FirstW and Process32NextW, as highlighted below.

Figure 16 - Ransomware is looking for the “explorer.exe” process

All of the above reveal that DragonForce employs anti-analysis methods including stack strings obfuscation, as well as selective targeting approach, multi-threaded encryption and command-line parameterization similar to Conti ransomware.

Volume Shadow Copies Deletion

When it comes to deleting Volume Shadow copies to prevent data recovery, DragonForce leverages COM: it creates an IWbemClassObject object, and then an IWbemContext interface using the CoCreateInstance function.

Figure 17 - CoCreateInstance API calls

Figure 18 - CLSIDs for IWbemClassObject and IWbemContext

It uses WMI’s query “SELECT * FROM Win32_ShadowCopy" to extract the shadow copies and deletes them using the Delete method:

Figure 19 - Retrieve the Windows Shadow Copies

The malware retrieves all valid drives on the system that will be transmitted to the encryption threads (see Figure 20).

Figure 20 - GetLogicalDriveStringsW API call

The malware uses the  ZwQuerySystemInformation function to obtain an array of SYSTEM_PROCESS_INFORMATION structures, representing the running processes (0x5 = SystemProcessInformation):

Figure 21 - Retrieve an array of structures for all running processes

The targeted processes are killed using the TerminateProcess API, as shown in Figure 22.

Figure 22 - Malware stops a list of processes

Encryption of Files

When it comes to file encryption, DragonForce also demonstrates operational capabilities and versatility through its command-line parameters, enabling its operators to control the ransomware’s behavior during deployment. This parameterization enables targeted attacks and strategic execution – ranging from encrypting specific folders rather than entire systems (“-p”) to operational security features – to avoid detection of specific mutex names associated with the ransomware (“-nomutex”). The entire process is detailed below.

Figure 23 - Public RSA key is imported

It creates the ransom note called “readme.txt” in every traversed directory:

Figure 24 - Ransom note

The binary embedded a ChaCha8 key (32 bytes) and nonce (8 bytes) that are used to decrypt the ransom note content. These values are shown below:

Figure 25 - ChaCha8 key and nonce are embedded in the malware

The implementation of the ChaCha8 algorithm is presented in Figure 26.

Figure 26 - ChaCha8 algorithm

The malware generates 32 random bytes and then 8 random bytes representing the ChaCha8 key and nonce, respectively. Every file will be encrypted with a different key and nonce.

Figure 27 - Random key and nonce are generated

The public RSA key is used to encrypt the key and nonce, along with the filename. The encrypted data will be stored in the encrypted file.

Figure 28 - The key, nonce, and filename are encrypted using RSA

It’s not very common, but the initial filename is modified as well (Figure 29). The extension of the encrypted files is changed to “dragonforce_encrypted”.

Figure 29 - Initial filename is changed

The full list of targeted extensions is presented in the Appendix.

DragonForce creates a registry key called “.dragonforce_encrypted” under HKEY_CLASSES_ROOT using RegCreateKeyExW:

Figure 30 - Create a registry key corresponding to the ransomware’s extension

An .ico file called “icon.ico” is created in the Public directory. This file is set in the DefaultIcon sub-registry key:

Figure 31 - Encrypted files have a custom icon

Depending on the file size and if the file’s extension belongs to the targeted list, the following cases could occur: 

• File size < 3MB: the entire file is encrypted and 0x24 is added to the encrypted file’s footer 
• File size > 3MB and the extension doesn’t appear in the target list: only the first 3MB are encrypted (0x26 in the footer). In the case of targeted extensions, the entire file is encrypted 
• Large .iso files are encrypted alternatively: approximately 21% of the file is encrypted with 3 chunks of file size/100*7 bytes. 0x25 is added to the footer

Running with the “-p” parameter

In this case, only the folder passed as a parameter is encrypted by the ransomware.

Running with the “-m” parameter

The following sub-cases exist:

• “-m all”
• “-m local”
• “-m net”
• “-m backups”

Network shares can be targeted using the “all” or “net” parameter (see Figure 32). If “local” is specified, then only the local drives are encrypted.

Figure 32 - Targeting available network shares

Running with the “-log” parameter

The log file passed as a parameter is created, however, it remains empty and the “log.log” file is still populated as before.

Running with the “-nomutex” parameter

In this case, the process doesn’t create the named mutex previously mentioned.

Through the Eyes of Hybrid Analysis

Even a cursory glance at the Hybrid Analysis report offers analysts and researchers a wide range of telltale signs which reveal that the DragonForce sample exhibits ransomware behavior. For example, it highlights that DragonForce implements ChaCha symmetric encryption, reveals that it targets local drives and network shares, and demonstrates its ability to stop targeted processes. The additional in-depth research is meant to peek behind the behavior-based evidence and dive into the inner workings of the DragonForce ransomware to reveal what makes it interesting and understand how defenders can build better defense strategies. 

Hybrid Analysis is a powerful platform for identifying and analyzing malware, whether mundane or highly sophisticated. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.

Indicators of Compromise

SHA256

b9bba02d18bacc4bc8d9e4f70657d381568075590cc9d0e7590327d854224b32

File created

C:\Users\Public\log.log

C:\Users\Public\wallpaper_white.png

C:\Users\Public\icon.ico

readme.txt

Registry key

HKCR\.dragonforce_encrypted

Mutex

hsfjuukjzloqu28oajh727190

Appendix

Targeted processes

MsMpEng.exe,sql.exe,oracle.exe,ocssd.exe,dbsnmp.exe,synctime.exe,agntsvc.exe,isqlplussvc.exe,xfssvccon.exe,mydesktopservice.exe,ocautoupds.exe,encsvc.exe,firefox.exe,tbirdconfig.exe,mydesktopqos.exe,ocomm.exe,dbeng50.exe,sqbcoreservice.exe,excel.exe,infopath.exe,msaccess.exe,mspub.exe,onenote.exe,outlook.exe,powerpnt.exe,steam.exe,thebat.exe,thunderbird.exe,visio.exe,winword.exe,wordpad.exe,notepad.exe,calc.exe,wuauclt.exe,onedrive.exe,SQLAGENT.exe,sqlservr.exe,SQLWriter.exe

Targeted extensions

4dd,4dl,accdb,accdc,accde,accdr,accdt,accft,adb,ade,adf,adp,arc,ora,alf,ask,btr,bdf,cat,cdb,ckp,cma,cpd,dacpac,dad,dadiagrams,daschema,db,db-shm,db-wal,db3,dbc,dbf,dbs,dbt,dbv,dbx,dcb,dct,dcx,ddl,dlis,dp1,dqy,dsk,dsn,dtsx,dxl,eco,ecx,edb,epim,exb,fcd,fdb,fic,fmp,fmp12,fmpsl,fol,fp3,fp4,fp5,fp7,fpt,frm,gdb,grdb,gwi,hdb,his,ib,idb,ihx,itdb,itw,jet,jtx,kdb,kexi,kexic,kexis,lgc,lwx,maf,maq,mar,mas,mav,mdb,mdf,mpd,mrg,mud,mwb,myd,ndf,nnt,nrmlib,ns2,ns3,ns4,nsf,nv,nv2,nwdb,nyf,odb,oqy,orx,owc,p96,p97,pan,pdb,pdm,pnz,qry,qvd,rbf,rctd,rod,rodx,rpd,rsd,sas7bdat,sbf,scx,sdb,sdc,sdf,sis,spq,sql,sqlite,sqlite3,sqlitedb,te,temx,tmd,tps,trc,trm,udb,udl,usr,v12,vis,vpd,vvv,wdb,wmdb,wrk,xdb,xld,xmlff,abcddb,abs,abx,accdw,adn,db2,fm5,hjt,icg,icr,kdb,lut,maw,mdn,mdt

Figure 33 - DragonForce Ransom note