Extracted

• • Target

    2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch

  • Size

    9.3MB

  • MD5

    56b797edc38ad73eb8d53b8cc0663dc4

  • SHA1

    6883e7608a5cd27ee53d18f27e19f325b4de04c8

  • SHA256

    73b413134f3ca2bbc04ac21cfbc33156d78667bb30c8da7356f0e2b72dd158c2

  • SHA512

    473963efa2f54fcf128040df737db94154655bf46ad6c5119ef067feb0f83bda0edca7abdb4d61fc9834586576f61ac73cbfb682660922d8351f4c2ee2e66c56

  • SSDEEP

    98304:msGLMqMUzFeUoGgcmmPsWvpIq+EV6wKIii8HlD+:SBMUzQyPsWvCq7sfD

  Score

  10^/10

  skuldpersistencestealer

  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables Discord URL observed in first stage droppers

  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers

  • Detects executables containing URLs to raw contents of a Github gist

  • Detects executables containing possible sandbox system UUIDs

  • Detects executables referencing virtualization MAC addresses

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  behavioral1behavioral2