ayrseushop

Overview

Windows infostealer family label observed in OpenCTI (tag ayrseu-shop), frequently co-labelled with remusstealer and sunwukong. The corpus contains at least two distinct build clusters under this umbrella:

1. Go-based cluster — see menomoushop (Go 1.25.4, Authenticode signed, TLS C2).
2. MSVC-native cluster — represented by this sample (5a5b3373): x64 PE with heavy XOR-loop string obfuscation, GDI screenshot capture, clipboard theft, and COM/WMI abuse.

Because the OpenCTI label is applied broadly, confidence for ayrseushop as a single cohesive family is low. The MSVC variant may be an unrelated kit that shares distribution infrastructure or bundler tags with the Go cluster.

Build Stack

• Compiler: MSVC 14.0 (Visual Studio 2015+)
• Arch: PE32+ x86-64, Windows GUI subsystem
• Signed: No
• Packing: None
• Obfuscation: Flattened control-flow with multi-pass XOR-loop string decryption (distinct constants per module)
• Anti-analysis: TEB/PEB access at startup (gs:[0]), zero IAT in COM dispatch stubs

Capabilities

• runtime-string-decryption-xor-loop
• clipboard-harvesting-openclipboard
• screenshot-capture-gdi-bitblt
• system-enumeration-computername-username
• com-initialisation-wmi-inferred
• oleaut32-bstr-manipulation
• display-metrics-enumeration
• no-static-c2-all-runtime-decoded

Deploy / TTPs

Variants / Aliases

• ayrseu-shop — primary OpenCTI / MalwareBazaar label
• remusstealer — co-label on multiple siblings (may actually denote a separate Go cluster)
• sunwukong — third co-label; also applies to the MSVC PEB-walking loader cluster (hippamsascom / sunwukong)

Notable Analyses

• /intel/analyses/5a5b337353b1a5faa9a3a18887de1235426da743fb6d77885c78b03db47b12cb.html — 5a5b3373, MSVC x64, static-only

Related

• menomoushop — Go 1.25.4 infostealer cluster sharing the remusstealer label
• hippamsascom — MSVC x64 loader cluster with zero IAT and semantic export obfuscation (shares sunwukong label)
• sunwukong — MSVC x64 PEB-walking loader (shares sunwukong label)