typeanalysisfamilyayrseushopconfidencelowcreated2026-05-31updated2026-05-31pecompilerobfuscationinfostealerc2defense-evasionmitre-attck

SHA-256: 5a5b337353b1a5faa9a3a18887de1235426da743fb6d77885c78b03db47b12cb

ayrseushop: 5a5b3373 — MSVC x64 infostealer with runtime string-decryption, clipboard+screenshot harvesting

Executive Summary

PE32+ x64 Windows GUI binary compiled with MSVC 14.0 and heavily obfuscated with flattened control-flow and XOR-loop string decryption. Imports reveal infostealer behaviour: clipboard extraction, GDI screenshot capture, system enumeration (computer name, user name, display settings), and COM/OLE automation. No hardcoded C2 or network APIs are visible statically; all indicators are runtime-decoded. Dynamic analysis was unavailable (no CAPE Windows guest); characterisation is entirely static.

What It Is

Field	Value	Provenance
SHA-256	`5a5b337353b1a5faa9a3a18887de1235426da743fb6d77885c78b03db47b12cb`	^[triage.json]
File name	`rtom_tom.exe`	^[triage.json]
File type	PE32+ executable (GUI) x86-64, 4 sections	^[file.txt]
Size	217 088 bytes	^[triage.json]
Compile time	2026-05-21 14:20:00 UTC	^[exiftool.json] ^[pefile.txt]
Linker	14.0 (Visual Studio 2015+)	^[exiftool.json] ^[pefile.txt]
Signed	No	^[rabin2-info.txt] ^[pefile.txt]
Packing	None detected	^[binwalk.txt]
CAPE status	Skipped — no Windows machine available	^[dynamic-analysis.md]

OpenCTI tags include ayrseu-shop, remusstealer, and sunwukong^[triage.json]. The actual build fingerprint (MSVC, native x64, normal IAT) does not match the Go-based menomoushop/remusstealer cluster or the PEB-walking sunwukong/hippamsascom cluster. Family attribution is therefore low-confidence and treated here as a standalone MSVC infostealer kit.

How It Works

1. String Decryption

The binary decrypts string blobs at runtime via iterated XOR with context-dependent multipliers. At least three distinct decryption loops are visible in the decompiled entry point and callees:

Entry-point prefix (entry0 @ 0x140001e30) — 13-character wide-char buffer decrypted with ecx * 0x3694 XOR accumulator^[r2:entry0].
Clipboard module (fcn.140026270 @ 0x1400263bf) — 38-character wide-char buffer decrypted with edx * 0xe792 XOR accumulator^[r2:fcn.140026270].
COM module (fcn.140026270 @ 0x1400264e1) — 6-character wide-char buffer decrypted with an AND-mask + multiply pair (0x53d0 / 0xac2f) before XOR^[r2:fcn.140026270].

No plaintext C2 URLs, file paths, or browser artefacts survive this encryption.

2. System Enumeration

GetComputerNameA / GetComputerNameExA — hostname and DNS suffix^[strings.txt:433-434].
GetUserNameA — logged-on username^[strings.txt:454].
EnumDisplaySettingsW — screen resolution enumeration^[strings.txt:446].
GetSystemMetrics — additional desktop metrics^[strings.txt:449].

These map cleanly to System Information Discovery (T1082) and Screen Capture (T1113).

3. Clipboard Theft

OpenClipboard → GetClipboardData → CloseClipboard^[strings.txt:448-453]. Standard clipboard exfiltration chain (T1115).

4. Screenshot Capture

GetDC / ReleaseDC — desktop device-context acquisition^[strings.txt:452-453].
BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, GetDIBits, SelectObject — full GDI screenshot pipeline^[strings.txt:456-464].

This is a complete framebuffer-capture workflow (T1113).

5. COM / OLE Automation

CoInitialize, CoInitializeSecurity, CoSetProxyBlanket, CoCreateInstance^[strings.txt:439-441].
OLEAUT32.dll ordinals: SysAllocString, SysFreeString, VariantClear, VariantInit^[pefile.txt:297-300].

The COM initialisation suggests WMI interaction or Office/Credential-Manager COM-object abuse (T1047). The repeated OLEAUT32 variant string operations in decompilation confirm BSTR handling — typical for WMI query result parsing.

Decompiled Behaviour

Radare2 analysis found 543 functions, the majority of which are small obfuscation stubs. The entry point (entry0 @ 0x140001d50) performs the following sequenced calls after its string-decryption preamble:

fcn.140029420() — resolves two global function pointers (stored at 0x140035b28 and 0x140035b30) via an indirect call through a jump table^[r2:entry0].
fcn.140026270() — clipboard / COM module. Contains a 33-case switch dispatch table at 0x140034ec8 and multiple nested decryption loops^[r2:fcn.140026270].
fcn.140024ce0() — large switch-based dispatcher with 33 cases, each allocating stack frames and calling into further obfuscated subroutines^[r2:fcn.140024ce0].
fcn.140004a70() — initialises a 0x38-byte structure by copying 0x1f bytes from a source blob, then sets two dword fields from arguments^[r2:fcn.140004a70]. This pattern matches a WMI CONNECTDATA-like structure or a custom COM proxy configuration block.
fcn.140006290() — COM / string manipulation function that references the hardcoded ASCII string 65b650d78cbf74f17a1f5c139d5ab278 at 0x140031010^[r2:fcn.140006290]. The string is also visible in raw strings at line 431^[strings.txt:431]. Most likely an MD5 hash used as a decryption key, mutex name seed, or config integrity check.

The heavy switch-jump dispatch, repeated stack-frame allocators (fcn.140001a80), and OLEAUT32 BSTR churn are consistent with control-flow flattening produced by an automated obfuscator (possibly a commercial .NET/native protector or a custom C++ obfuscator pass).

C2 Infrastructure

No hardcoded C2 indicators. No IP addresses, domains, URLs, mutex names, or named pipes are visible in static strings or imports. All network endpoints are presumed to be runtime-decoded by the string-decryption engine. The absence of socket imports (ws2_32.dll, wininet.dll) is notable — C2 may be handled via:

COM-based HTTP/WINHTTP objects (through CoCreateInstance),
A second-stage payload dropped and executed by this binary, or
An external loader that injects network capability.

Interesting Tidbits

Compiler mismatch with family label. The ayrseu-shop / remusstealer labels in OpenCTI are typically associated with Go binaries. This sample is pure MSVC native C/C++ — the label is likely an umbrella tag or upload-bundle artefact^[triage.json].
Hardcoded MD5-like string. 65b650d78cbf74f17a1f5c139d5ab278 appears as both a data-section reference and a raw string^[r2:fcn.140006290] ^[strings.txt:431]. It is exactly 32 hex chars — could be a config hash, a mutex seed, or a peer-validation token.
Linker anti-tamper. Checksum field in optional header is 0x00000000^[pefile.txt]; this is normal for debug builds but also commonly seen in malware where the author did not bother to fix the checksum post-build.
No .rsrc section. Resource directory RVA is zero^[pefile.txt:165-167]; no icons, manifests, or version info to masquerade with. The binary relies entirely on its filename (rtom_tom.exe) for social engineering.
TEB/PEB access. fcn.140029b00 reads gs:[0] (TEB Self pointer) early in execution^[r2:fcn.140029b00]. On x64 this is a common anti-debug / anti-VM fingerprinting technique (checking BeingDebugged, NtGlobalFlag, or heap flags via PEB at gs:[0x30]).

How To Mess With It (Homelab Replication)

Toolchain: Visual Studio 2019+ with MSVC v142, x64 Release target, /SUBSYSTEM:WINDOWS.
Obfuscation pass: Replicate the entry-point string-decryption loop:
- Embed encrypted wide-char blobs in .rdata.
- At runtime, iterate for (i = 0; i < len; i++) buf[i] ^= (i + 1) * CONSTANT; using constants like 0x3694 or 0xe792.
API set: Link against kernel32.lib, user32.lib, gdi32.lib, ole32.lib, oleaut32.lib, advapi32.lib. Import GetClipboardData, BitBlt, CoCreateInstance, EnumDisplaySettingsW.
Verification: Compile and run capa reproducer.exe; expect capability hits on interact with clipboard, capture screenshot, and use COM API.

Deployable Signatures

YARA

rule AyrseuShop_MSVCx64_Infostealer_2026
{
    meta:
        description = "MSVC x64 infostealer with XOR string decryption, clipboard+GDI imports"
        author = "PacketPursuit"
        date = "2026-05-31"
        sha256 = "5a5b337353b1a5faa9a3a18887de1235426da743fb6d77885c78b03db47b12cb"
    strings:
        $s1 = "GetClipboardData" ascii wide
        $s2 = "BitBlt" ascii wide
        $s3 = "CoCreateInstance" ascii wide
        $s4 = "EnumDisplaySettingsW" ascii wide
        $s5 = "GetComputerNameExA" ascii wide
        $s6 = "65b650d78cbf74f17a1f5c139d5ab278" ascii
        $dec1 = { 66 81 74 ?? ?? ?? ?? 69 34 }   // word XOR decrypt loop sig (loose)
    condition:
        uint16(0) == 0x5A4D and
        all of ($s1,$s2,$s3,$s4,$s5) and
        filesize < 300KB and
        pe.number_of_sections == 4 and
        pe.imports("USER32.dll", "GetClipboardData") and
        pe.imports("GDI32.dll", "BitBlt") and
        pe.imports("ole32.dll", "CoCreateInstance")
}

Sigma

title: MSVC x64 Infostealer Clipboard + Screenshot + COM Activity
status: experimental
description: Detects a process exhibiting clipboard access, GDI screenshot capture, and COM initialization in sequence — behavioural fingerprint of the ayrseushop/Remusstealer MSVC cluster.
logsource:
  category: process_creation
  product: windows
detection:
  selection_clipboard:
    ImageLoaded|endswith: 'USER32.dll'
    CommandLine|contains: 'GetClipboardData'
  selection_gdi:
    ImageLoaded|endswith: 'GDI32.dll'
    CommandLine|contains:
      - 'BitBlt'
      - 'CreateCompatibleBitmap'
      - 'GetDIBits'
  selection_com:
    ImageLoaded|endswith: 'ole32.dll'
    CommandLine|contains: 'CoCreateInstance'
  selection_name:
    CommandLine|contains:
      - 'GetComputerName'
      - 'GetUserName'
  condition: selection_clipboard and selection_gdi and selection_com and selection_name
  # Real-world tuning: convert to EQL or Sysmon ImageLoad event search for DLL loads + API calls
falsepositives:
  - Legitimate remote-desktop or screen-sharing software
  - IT asset-management agents
level: high

IOC List

Indicator	Type	Value
SHA-256	hash	`5a5b337353b1a5faa9a3a18887de1235426da743fb6d77885c78b03db47b12cb`
MD5	hash	`65b650d78cbf74f17a1f5c139d5ab278` (hardcoded; possible config/checksum seed)
File name	filename	`rtom_tom.exe`
Compile time	timestamp	`2026-05-21 14:20:00 UTC`
Linker version	toolchain	`14.0`

Behavioural Fingerprint

On execution this binary initialises COM security, decrypts a set of wide-character strings via iterated XOR with hardcoded 16-bit multipliers, then sequentially queries the clipboard, enumerates display settings and desktop metrics, captures the screen via GDI BitBlt into a DIB, and gathers computer and user name. All harvested data is staged in BSTR-variant structures handled through OLEAUT32. No networking APIs are imported statically; C2 communication is either COM-based (WinHTTP/XMLHTTP objects via CoCreateInstance) or deferred to a secondary payload.

Detection Signatures

Capability	ATT&CK ID	Evidence
Clipboard Data	T1115	`GetClipboardData` / `OpenClipboard` imported^[strings.txt:448-453]
Screen Capture	T1113	`BitBlt`, `CreateCompatibleDC`, `GetDIBits` imported^[strings.txt:456-464]
System Information Discovery	T1082	`GetComputerNameA/ExA`, `GetUserNameA`, `EnumDisplaySettingsW` imported^[strings.txt:433-434,446,454]
Windows Management Instrumentation	T1047	`CoCreateInstance`, `CoInitializeSecurity`, OLEAUT32 BSTR churn^[strings.txt:439-441] ^[pefile.txt:297-300]
Obfuscated Files or Information	T1027	Multi-pass XOR-loop string decryption with varying constants^[r2:entry0] ^[r2:fcn.140026270] ^[r2:fcn.140006290]
Runtime Data Decryption	T1027.002	Hardcoded MD5-like string used as decryption integrity check^[r2:fcn.140006290]

References

Artifact ID: 0c3c3805-1fac-42f1-8f37-78959704b0d2
Source: OpenCTI / MalwareBazaar
Related wiki pages: None established for this build cluster.

Provenance

Static analysis performed with radare2 (entry-point and top-level callees decompiled), pefile (header parse), exiftool (timestamp), binwalk (packer scan), strings (ASCII extraction). CAPE detonation skipped — no Windows analysis guest available at time of analysis. FLOSS and CAPA failed due to tool-configuration errors (no signatures installed). No Ghidra decompilation obtained (analysis incomplete at time of drafting).

> Analysis · 5a5b337353b1_