skuld | 87c7df48dbf1ef567445595a16463dc5202c963081fe36bd42164959fb077114

General

Target

2024-06-22_54ed565144faab98985baf2347062bc0_ngrbot_poet-rat_snatch
Size

14.2MB
Sample

240622-r9g8lswgkm
MD5

54ed565144faab98985baf2347062bc0
SHA1

f940e7367c6bb75e845f3b6507ecf40e94c0fb98
SHA256

87c7df48dbf1ef567445595a16463dc5202c963081fe36bd42164959fb077114
SHA512

f91d1e9111c09ed8bccb2c57e52acd920fb37c4459292889e86cfea809880495a8dd5b685d142b6422076bd0bc186a67af2ca490d8d96b85ec532fb01ebe05f9
SSDEEP

196608:BMhP4WgzpUmKAUzo4z3wVSIPLFFrL0AGtWT6U:ByP2So40HLvL7Gty

Score

10^/10

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1253730441798619290/8i7EDWnDBIVUaUK4Cc_uCBpH3AvOkoWdqTRkWdQoUzZ0jDSGq5-cP0fBBJXJgJ76aKZm

Targets

- Target
  
  2024-06-22_54ed565144faab98985baf2347062bc0_ngrbot_poet-rat_snatch
- Size
  
  14.2MB
- MD5
  
  54ed565144faab98985baf2347062bc0
- SHA1
  
  f940e7367c6bb75e845f3b6507ecf40e94c0fb98
- SHA256
  
  87c7df48dbf1ef567445595a16463dc5202c963081fe36bd42164959fb077114
- SHA512
  
  f91d1e9111c09ed8bccb2c57e52acd920fb37c4459292889e86cfea809880495a8dd5b685d142b6422076bd0bc186a67af2ca490d8d96b85ec532fb01ebe05f9
- SSDEEP
  
  196608:BMhP4WgzpUmKAUzo4z3wVSIPLFFrL0AGtWT6U:ByP2So40HLvL7Gty
Score

10^/10

skuld execution persistence privilege_escalation spyware stealer
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables Discord URL observed in first stage droppers
- Detects executables containing SQL queries to confidential data stores. Observed in infostealers
- Detects executables containing URLs to raw contents of a Github gist
- Detects executables containing possible sandbox system UUIDs
- Detects executables referencing virtualization MAC addresses
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2