Author(s): Vlad Pasca
- New advanced stealer analyzed though Hybrid Analysis and named 'SHUYAL'
- Hybrid Analysis report reveals the stealer can grab credentials from 19 different web browsers (Chrome, Brave, Edge, Opera, OperaGx, Yandex, Vivaldi, Chromium, Waterfox, Tor, Epic, Comodo, Slimjet, Coccoc, Maxthon, 360browser, Ur, Avast and Falkon)
- SHUYAL features advanced evasion tactics, featuring self-deletion capabilities and sophisticated anti-detection mechanisms, including automatic Task Manager disablement
- The stealer employs modern exfiltration methods, combining Discord token theft with Telegram-based data exfiltration
Hybrid Analysis has analyzed a sophisticated new information stealer that combines extensive credential theft capabilities with advanced system reconnaissance and evasion tactics. Named SHUYAL based on unique identifiers discovered in the executable's PDB path, this previously undocumented stealer demonstrates comprehensive browser targeting, grabbing credentials from 19 different browsers ranging from mainstream applications like Chrome and Edge to privacy-focused options such as Tor.
Analysis shows SHUYAL performing thorough system reconnaissance, gathering detailed information about disk drives, input devices, and display configurations. The malware employs aggressive defense evasion techniques, including the automatic termination and subsequent disabling of Windows Task Manager. Beyond credential theft, SHUYAL captures system screenshots and clipboard content, exfiltrating this data alongside stolen Discord tokens through a Telegram bot infrastructure. The malware maintains operational stealth through self-deletion mechanisms, removing traces of its activity using a batch file after completing its primary functions.
This research presents a detailed technical analysis of SHUYAL, documenting its capabilities and behaviors through comprehensive Hybrid Analysis indicators, combined with in-depth technical analysis of a publicly available sample.
A Hybrid Analysis Perspective
We’ve named this stealer SHUYAL based on the PDB path extracted from the executable. As we can see in the Hybrid Analysis report, the path also reveals the “sheepy” username:
Spawning multiple processes (as highlighted below), SHUYAL retrieves the model and serial number of the available disk drives, information about the keyboard and mouse installed on the machine, and details about the monitor attached to the computer. The last command (“wmic get name”) is incomplete and doesn’t return any useful information.
Figure 4 - Multiple processes retrieve information about the infected host
Figure 5 from the Hybrid Analysis report reveals that the process uses PowerShell to compress a folder from the “%TEMP%” directory. The folder contains information to be exfiltrated, as we’ll see in the upcoming sections.
Figure 5 - Create an archive to be exfiltrated using PowerShell
The stealer performs data exfiltration via a Telegram bot (Figure 6).
Figure 6 - Data exfiltration occurs via Telegram
The malware is very stealthy because it deletes the newly created files from the browsers’ databases and all files from the “runtime” directory that were previously exfiltrated:
Figure 7 - Malware deletes the created files for stealthiness
The malicious process extracts the path of the Desktop Wallpaper using PowerShell, as shown in the figure below.
Figure 8 - Extract the path of the Desktop Wallpaper
A Deeper Dive into SHUYAL
The binary creates an anonymous pipe via a call to CreatePipe. The pipe will be used to read the output of the processes to be spawned:
Figure 9 - CreatePipe API call
Reconnaissance
The stealer performs reconnaissance by creating multiple processes:
- wmic diskdrive get model,serialnumber (retrieve the model and serial number of the available disk drives)
- wmic path Win32_Keyboard get Description,DeviceID (retrieve information about the keyboard)
- wmic path Win32_PointingDevice get Description,PNPDeviceID (created twice, retrieve information about the mouse)
- wmic path Win32_DesktopMonitor get Description,PNPDeviceID (retrieve details about the monitor attached to the computer)
- wmic get name (returns an error)
- powershell -command “(Get-ItemProperty 'HKCU:\Control Panel\Desktop').Wallpaper” (retrieve the path of the Desktop Wallpaper)
The malware enumerates the running processes looking for the Task Manager process. If found, it is killed by calling the TerminateProcess method (see Figure 11).
Figure 11 - Task Manager process is stopped
The process disables Task Manager by modifying the “DisableTaskMgr” registry value to 1, as highlighted below:
Figure 12 - Disable Task Manager by modifying a registry value
Persistence
SHUYAL obtains the user’s Startup folder using the SHGetSpecialFolderPathA API (0x7 = CSIDL_STARTUP):
Figure 13 - SHGetSpecialFolderPathA API call
The malware establishes persistence by self-copying to the Startup folder via a function call to CopyFileA. We can also observe the strings that appear in the code, confirming the success/failure of the operation.
Figure 14 - Copy operation to the Startup folder
The stealer obtains a handle to the standard output device and adds the ENABLE_ECHO_INPUT mode to the output mode:
Figure 15 - Modify the console mode
Data stealing
SHUYAL attempts to locate the “Login Data” file, which stores login data (including usernames and URLs), for the following browsers: Chrome, Brave, Edge, Opera, OperaGx, Yandex, Vivaldi, Chromium, Waterfox, Tor, Epic, Comodo, Slimjet, Coccoc, Maxthon, 360browser, Ur, Avast and Falkon.
Figure 16 - GetFileAttributesExW API call
The identified files are copied to the current directory of the malware. For example, the file corresponding to Chrome is copied as “chrome_Data.db” (Figure 17).
Figure 17 - Copy targeted databases to the current directory
The following SQL query is executed, "SELECT origin_url, username_value, password_value FROM logins". The encrypted passwords will be decrypted and stored in a newly created file called “saved_passwords.txt” found in the “runtime” directory created in the temporary folder. The decryption works by extracting the Master key from the “Local State” file, base64-decode the key, and then decrypt it using the DPAPI CryptUnprotectData. The Master key can be used to decrypt the browser credentials. The browsing history is extracted from “\User Data\Default\History” and saved as “history.txt” in the same directory. Figure 18 presents the SQL query that is executed:
Figure 18 - SQL query execution
The process extracts data from the clipboard using the OpenClipboard and GetClipboardData functions. It is saved in a file called “clipboard.txt”:
Figure 19 - Extract data from the clipboard
Figure 20 - Data is saved in a file called clipboard.txt
The stealer takes a screenshot using the GdiplusStartup, BitBlt, and GdipSaveImageToFile APIs, and saves it in a file called “ss.png”:
Figure 21 - APIs used to take the screenshot
Figure 22 - GdipSaveImageToFile function call
It also steals tokens from Discord, Discord Canary, and Discord PTB (Figure 23).
Figure 23 - Malware steals tokens from Discord applications
The malware creates a log file called “debug_log.txt” that contains information about the targeted browsers and other applications:
Figure 24 - Content of the log file
Data exfiltration
The malicious executable compresses the “runtime” directory containing files to be exfiltrated to an archive called “runtime.zip” using PowerShell, as shown in the figure below.
Figure 25 - Folder to be exfiltrated is compressed to an archive
The archive is exfiltrated to the following Telegram bot:
Figure 26 - Telegram bot
WSAEnumNetworkEvents is utilized to discover occurrences of network events for a socket:
Figure 27 - WSAEnumNetworkEvents API call
After finishing the malicious activity, the stealer performs self-deletion using a batch file called “util.bat”:
Figure 28 - Content of the self-deletion batch script
Figure 29 - Execution of the newly created batch file
SHUYAL Through the Eyes of Hybrid Analysis
The Hybrid Analysis report identifies multiple behavioral patterns and indicators that clearly classify SHUYAL as a new, information-stealing malware. For example, it highlights that the sample obtains login credentials from a list of browsers, including Google Chrome, Opera, Edge and others. Our in-depth technical analysis extends beyond behavioral observations to examine SHUYAL's core functionality, enabling the development of more effective detection and defense mechanisms.
Hybrid Analysis is a powerful platform for identifying and analyzing malware, whether mundane or highly sophisticated. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.
