General

  • Target

    Skibdi.rar

  • Size

    8.9MB

  • Sample

    240531-p6n6mshe21

  • MD5

    2cafe641ac384c418e886c662b5587ab

  • SHA1

    cc64dad0ea3668d129671c00efe93439200c8def

  • SHA256

    ebdaeb6f096cc2650722bf5f0865e22b0ebb109501c73029b538e78053a56b2c

  • SHA512

    be40aa3d714c676d1598fdba071b96793e6bddba738e2841405a842be9a1220829614c6bb9194cdb7247cd0ff0a7ba72d3b377b7f1f6b0f7c20524c39bc67556

  • SSDEEP

    196608:G6n7woEnbi1OqAihNXNfciltLgjnhbZrO8CgRVp4PJKzHX:G6n7VE1qAiv5Jsjhbw83PpWKzHX

Malware Config

Targets

    • Target

      Skibdi/drv.dll

    • Size

      192KB

    • MD5

      6ee2a88665ddd9cf5f0ac3da3232fc88

    • SHA1

      78bf139d0e388067866c919376c033dbf3ae7c39

    • SHA256

      dfc0065b0986bd34fce26b4b8578e3802c885e4aa9bf4a5e2bdb102576204573

    • SHA512

      764d2ba61aeadab5c00724338d61e8cf965ff65e9dad86831ef7372510395f8aeaf91bbf0df5d2c7a4b01f2a9d891ba65e10b6678a8c2a16de43eb6ad4ab17c0

    • SSDEEP

      6144:w5qJ7GTFBer2nSiEh/P9mFTnNrouVagwzUiYJ:4Q7EX+2SjhaTnNroMwzS

    Score
    5/10
    • Drops file in System32 directory

    • Target

      Skibdi/rbx.exe

    • Size

      8.9MB

    • MD5

      7501a30689d4faa0a55324304b93b2f4

    • SHA1

      6a0eed79a4e81822dec9bb1d43d7e3997287a9b4

    • SHA256

      7b2b4143316526e892101745c666723e32bd3d1b65cf3418fb1638b5af0cc6b2

    • SHA512

      d2c4d82573d1547a57497a9854510c930d1338d47dcdf650d3e5d57f305b1fd19f3d3518e99ad2b9363467daa36e89f1b9d606183265eb788184c6c486ff97ad

    • SSDEEP

      196608:qrOiHyZ7urErvI9pWjgaAnajMsbSEo23fQC//OoLxh2:cyZ7urEUWjJjIfoo4jLxh2

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks