Author(s): Vlad Pasca
- New advanced stealer analyzed though Hybrid Analysis and named 'SHUYAL'
- Hybrid Analysis report reveals the stealer can grab credentials from 19 different web browsers (Chrome, Brave, Edge, Opera, OperaGx, Yandex, Vivaldi, Chromium, Waterfox, Tor, Epic, Comodo, Slimjet, Coccoc, Maxthon, 360browser, Ur, Avast and Falkon)
- SHUYAL features advanced evasion tactics, featuring self-deletion capabilities and sophisticated anti-detection mechanisms, including automatic Task Manager disablement
- The stealer employs modern exfiltration methods, combining Discord token theft with Telegram-based data exfiltration
Hybrid Analysis has analyzed a sophisticated new information stealer that combines extensive credential theft capabilities with advanced system reconnaissance and evasion tactics. Named SHUYAL based on unique identifiers discovered in the executable's PDB path, this previously undocumented stealer demonstrates comprehensive browser targeting, grabbing credentials from 19 different browsers ranging from mainstream applications like Chrome and Edge to privacy-focused options such as Tor.
Analysis shows SHUYAL performing thorough system reconnaissance, gathering detailed information about disk drives, input devices, and display configurations. The malware employs aggressive defense evasion techniques, including the automatic termination and subsequent disabling of Windows Task Manager. Beyond credential theft, SHUYAL captures system screenshots and clipboard content, exfiltrating this data alongside stolen Discord tokens through a Telegram bot infrastructure. The malware maintains operational stealth through self-deletion mechanisms, removing traces of its activity using a batch file after completing its primary functions.
This research presents a detailed technical analysis of SHUYAL, documenting its capabilities and behaviors through comprehensive Hybrid Analysis indicators, combined with in-depth technical analysis of a publicly available sample.
A Hybrid Analysis Perspective
We’ve named this stealer SHUYAL based on the PDB path extracted from the executable. As we can see in the Hybrid Analysis report, the path also reveals the “sheepy” username:
 |
Figure 3 - Multiple browsers are targeted by the stealer |
The stealer performs data exfiltration via a Telegram bot (Figure 6).
A Deeper Dive into SHUYAL
The binary creates an anonymous pipe via a call to CreatePipe. The pipe will be used to read the output of the processes to be spawned:
Reconnaissance
The stealer performs reconnaissance by creating multiple processes:
- wmic diskdrive get model,serialnumber (retrieve the model and serial number of the available disk drives)
- wmic path Win32_Keyboard get Description,DeviceID (retrieve information about the keyboard)
- wmic path Win32_PointingDevice get Description,PNPDeviceID (created twice, retrieve information about the mouse)
- wmic path Win32_DesktopMonitor get Description,PNPDeviceID (retrieve details about the monitor attached to the computer)
- wmic get name (returns an error)
- powershell -command “(Get-ItemProperty 'HKCU:\Control Panel\Desktop').Wallpaper” (retrieve the path of the Desktop Wallpaper)
 |
Figure 11 - Task Manager process is stopped |
The process disables Task Manager by modifying the “DisableTaskMgr” registry value to 1, as highlighted below:
 |
Figure 12 - Disable Task Manager by modifying a registry value |
Persistence
SHUYAL obtains the user’s Startup folder using the SHGetSpecialFolderPathA API (0x7 = CSIDL_STARTUP):
 |
Figure 13 - SHGetSpecialFolderPathA API call |
 |
Figure 14 - Copy operation to the Startup folder |
The stealer obtains a handle to the standard output device and adds the ENABLE_ECHO_INPUT mode to the output mode:
 |
Figure 15 - Modify the console mode |
Data stealing
SHUYAL attempts to locate the “Login Data” file, which stores login data (including usernames and URLs), for the following browsers: Chrome, Brave, Edge, Opera, OperaGx, Yandex, Vivaldi, Chromium, Waterfox, Tor, Epic, Comodo, Slimjet, Coccoc, Maxthon, 360browser, Ur, Avast and Falkon.
 |
Figure 16 - GetFileAttributesExW API call |
 |
Figure 17 - Copy targeted databases to the current directory |
The following SQL query is executed, "SELECT origin_url, username_value, password_value FROM logins". The encrypted passwords will be decrypted and stored in a newly created file called “saved_passwords.txt” found in the “runtime” directory created in the temporary folder. The decryption works by extracting the Master key from the “Local State” file, base64-decode the key, and then decrypt it using the DPAPI CryptUnprotectData. The Master key can be used to decrypt the browser credentials. The browsing history is extracted from “\User Data\Default\History” and saved as “history.txt” in the same directory. Figure 18 presents the SQL query that is executed:
 |
Figure 18 - SQL query execution |
 |
Figure 19 - Extract data from the clipboard |
 |
Figure 20 - Data is saved in a file called clipboard.txt
The stealer takes a screenshot using the GdiplusStartup, BitBlt, and GdipSaveImageToFile APIs, and saves it in a file called “ss.png”:
 |
Figure 21 - APIs used to take the screenshot |
 |
Figure 22 - GdipSaveImageToFile function call
It also steals tokens from Discord, Discord Canary, and Discord PTB (Figure 23).
 |
Figure 23 - Malware steals tokens from Discord applications |
The malware creates a log file called “debug_log.txt” that contains information about the targeted browsers and other applications:
 |
Figure 24 - Content of the log file |
Data exfiltration
The malicious executable compresses the “runtime” directory containing files to be exfiltrated to an archive called “runtime.zip” using PowerShell, as shown in the figure below.
 |
Figure 25 - Folder to be exfiltrated is compressed to an archive |
 |
Figure 26 - Telegram bot |
WSAEnumNetworkEvents is utilized to discover occurrences of network events for a socket:
 |
Figure 27 - WSAEnumNetworkEvents API call |
 |
Figure 28 - Content of the self-deletion batch script |
 |
Figure 29 - Execution of the newly created batch file
SHUYAL Through the Eyes of Hybrid Analysis
The Hybrid Analysis report identifies multiple behavioral patterns and indicators that clearly classify SHUYAL as a new, information-stealing malware. For example, it highlights that the sample obtains login credentials from a list of browsers, including Google Chrome, Opera, Edge and others. Our in-depth technical analysis extends beyond behavioral observations to examine SHUYAL's core functionality, enabling the development of more effective detection and defense mechanisms.
Hybrid Analysis is a powerful platform for identifying and analyzing malware, whether mundane or highly sophisticated. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.
