skuld | 73b413134f3ca2bbc04ac21cfbc33156d78667bb30c8da7356f0e2b72dd158c2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe
Size

9.3MB
MD5

56b797edc38ad73eb8d53b8cc0663dc4
SHA1

6883e7608a5cd27ee53d18f27e19f325b4de04c8
SHA256

73b413134f3ca2bbc04ac21cfbc33156d78667bb30c8da7356f0e2b72dd158c2
SHA512

473963efa2f54fcf128040df737db94154655bf46ad6c5119ef067feb0f83bda0edca7abdb4d61fc9834586576f61ac73cbfb682660922d8351f4c2ee2e66c56
SSDEEP

98304:msGLMqMUzFeUoGgcmmPsWvpIq+EV6wKIii8HlD+:SBMUzQyPsWvCq7sfD

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1254554406678958110/o7wQ60ExSOGXIXSGgiC0Ju8mUqnQxRGrcENM02LRwolrQDNAk3eIwL3iVrc6ojOqHzGl

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023423-2.dat	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables Discord URL observed in first stage droppers 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023423-2.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023423-2.dat	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables containing URLs to raw contents of a Github gist 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023423-2.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing possible sandbox system UUIDs 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023423-2.dat	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs

Detects executables referencing virtualization MAC addresses 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023423-2.dat	INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org
8	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1900	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	9	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe
Token: SeIncreaseQuotaPrivilege	4968	wmic.exe
Token: SeSecurityPrivilege	4968	wmic.exe
Token: SeTakeOwnershipPrivilege	4968	wmic.exe
Token: SeLoadDriverPrivilege	4968	wmic.exe
Token: SeSystemProfilePrivilege	4968	wmic.exe
Token: SeSystemtimePrivilege	4968	wmic.exe
Token: SeProfSingleProcessPrivilege	4968	wmic.exe
Token: SeIncBasePriorityPrivilege	4968	wmic.exe
Token: SeCreatePagefilePrivilege	4968	wmic.exe
Token: SeBackupPrivilege	4968	wmic.exe
Token: SeRestorePrivilege	4968	wmic.exe
Token: SeShutdownPrivilege	4968	wmic.exe
Token: SeDebugPrivilege	4968	wmic.exe
Token: SeSystemEnvironmentPrivilege	4968	wmic.exe
Token: SeRemoteShutdownPrivilege	4968	wmic.exe
Token: SeUndockPrivilege	4968	wmic.exe
Token: SeManageVolumePrivilege	4968	wmic.exe
Token: 33	4968	wmic.exe
Token: 34	4968	wmic.exe
Token: 35	4968	wmic.exe
Token: 36	4968	wmic.exe
Token: SeIncreaseQuotaPrivilege	4968	wmic.exe
Token: SeSecurityPrivilege	4968	wmic.exe
Token: SeTakeOwnershipPrivilege	4968	wmic.exe
Token: SeLoadDriverPrivilege	4968	wmic.exe
Token: SeSystemProfilePrivilege	4968	wmic.exe
Token: SeSystemtimePrivilege	4968	wmic.exe
Token: SeProfSingleProcessPrivilege	4968	wmic.exe
Token: SeIncBasePriorityPrivilege	4968	wmic.exe
Token: SeCreatePagefilePrivilege	4968	wmic.exe
Token: SeBackupPrivilege	4968	wmic.exe
Token: SeRestorePrivilege	4968	wmic.exe
Token: SeShutdownPrivilege	4968	wmic.exe
Token: SeDebugPrivilege	4968	wmic.exe
Token: SeSystemEnvironmentPrivilege	4968	wmic.exe
Token: SeRemoteShutdownPrivilege	4968	wmic.exe
Token: SeUndockPrivilege	4968	wmic.exe
Token: SeManageVolumePrivilege	4968	wmic.exe
Token: 33	4968	wmic.exe
Token: 34	4968	wmic.exe
Token: 35	4968	wmic.exe
Token: 36	4968	wmic.exe
Token: SeIncreaseQuotaPrivilege	1900	wmic.exe
Token: SeSecurityPrivilege	1900	wmic.exe
Token: SeTakeOwnershipPrivilege	1900	wmic.exe
Token: SeLoadDriverPrivilege	1900	wmic.exe
Token: SeSystemProfilePrivilege	1900	wmic.exe
Token: SeSystemtimePrivilege	1900	wmic.exe
Token: SeProfSingleProcessPrivilege	1900	wmic.exe
Token: SeIncBasePriorityPrivilege	1900	wmic.exe
Token: SeCreatePagefilePrivilege	1900	wmic.exe
Token: SeBackupPrivilege	1900	wmic.exe
Token: SeRestorePrivilege	1900	wmic.exe
Token: SeShutdownPrivilege	1900	wmic.exe
Token: SeDebugPrivilege	1900	wmic.exe
Token: SeSystemEnvironmentPrivilege	1900	wmic.exe
Token: SeRemoteShutdownPrivilege	1900	wmic.exe
Token: SeUndockPrivilege	1900	wmic.exe
Token: SeManageVolumePrivilege	1900	wmic.exe
Token: 33	1900	wmic.exe
Token: 34	1900	wmic.exe
Token: 35	1900	wmic.exe
Token: 36	1900	wmic.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 3528	1412	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe	83
PID 1412 wrote to memory of 3528	1412	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe	83
PID 1412 wrote to memory of 3108	1412	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe	84
PID 1412 wrote to memory of 3108	1412	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe	84
PID 1412 wrote to memory of 4968	1412	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe	86
PID 1412 wrote to memory of 4968	1412	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe	86
PID 1412 wrote to memory of 1900	1412	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe	90
PID 1412 wrote to memory of 1900	1412	2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe	90

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3528	attrib.exe
3108	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe"
1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-06-24_56b797edc38ad73eb8d53b8cc0663dc4_ngrbot_poet-rat_snatch.exe
  2⤵
  - Views/modifies file attributes
  PID:3528
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:3108
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.3MB

MD5
56b797edc38ad73eb8d53b8cc0663dc4

SHA1
6883e7608a5cd27ee53d18f27e19f325b4de04c8

SHA256
73b413134f3ca2bbc04ac21cfbc33156d78667bb30c8da7356f0e2b72dd158c2

SHA512
473963efa2f54fcf128040df737db94154655bf46ad6c5119ef067feb0f83bda0edca7abdb4d61fc9834586576f61ac73cbfb682660922d8351f4c2ee2e66c56

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads