skuld | 81c43844d18eee0ff82671ed0235cd9081d62668fc6c5f338a70cdad48d38f3c

General

Target

solara.exe
Size

31.2MB
MD5

db574505e197fc696b7484a3f5a06bb0
SHA1

7cb74600a75354a787ff7964e5fe2b55f5cfe7f8
SHA256

81c43844d18eee0ff82671ed0235cd9081d62668fc6c5f338a70cdad48d38f3c
SHA512

76eb487866ed9c8bcaeb06775e254f69df27c0a6f300aebab698a4e20a5e25dd21c8d12ec1fe15b10cc15ee6353761457c50cb476f68ee3ba3fbe1b5e5b654ab
SSDEEP

786432:XCALehCHTZWhnaY6mpZbx7dt8CbTAq44A9riGotv7V0U30pBg4JYWTNOwUSfEt45:XhzZWhna50NZOCbTbpaeGotTVNT4eqNb

Score

10^/10

skuld pyinstaller stealer upx

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1253312688864497665/375hzY1fiOjkE25L3-nbomdQUITdEzw5TbF9fCfxMycDpfz09qByG-R9KOpVUwhbMOaj

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Executes dropped EXE 6 IoCs

pid	Process
3040	1.exe
3036	1.exe
2524	2.exe
1820	3.exe
2308	2.exe
1204	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
1400	solara.exe
3036	1.exe
1400	solara.exe
1400	solara.exe
2280	Process not Found
2308	2.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015d13-30.dat	upx
behavioral1/memory/3036-32-0x000007FEF5B70000-0x000007FEF5FDE000-memory.dmp	upx
behavioral1/files/0x0005000000019cc5-162.dat	upx
behavioral1/memory/2308-165-0x000007FEF5700000-0x000007FEF5B6E000-memory.dmp	upx
behavioral1/memory/1332-297-0x0000000140000000-0x00000001405E8000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\1.exe	solara.exe
File opened for modification	C:\Windows\SysWOW64\1.exe	solara.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\2.exe	solara.exe
File opened for modification	C:\Windows\2.exe	solara.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0006000000015fbb-37.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	taskmgr.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 3040	1400	solara.exe	28
PID 1400 wrote to memory of 3040	1400	solara.exe	28
PID 1400 wrote to memory of 3040	1400	solara.exe	28
PID 1400 wrote to memory of 3040	1400	solara.exe	28
PID 3040 wrote to memory of 3036	3040	1.exe	29
PID 3040 wrote to memory of 3036	3040	1.exe	29
PID 3040 wrote to memory of 3036	3040	1.exe	29
PID 1400 wrote to memory of 2524	1400	solara.exe	30
PID 1400 wrote to memory of 2524	1400	solara.exe	30
PID 1400 wrote to memory of 2524	1400	solara.exe	30
PID 1400 wrote to memory of 2524	1400	solara.exe	30
PID 1400 wrote to memory of 1820	1400	solara.exe	31
PID 1400 wrote to memory of 1820	1400	solara.exe	31
PID 1400 wrote to memory of 1820	1400	solara.exe	31
PID 1400 wrote to memory of 1820	1400	solara.exe	31
PID 1400 wrote to memory of 280	1400	solara.exe	33
PID 1400 wrote to memory of 280	1400	solara.exe	33
PID 1400 wrote to memory of 280	1400	solara.exe	33
PID 1400 wrote to memory of 280	1400	solara.exe	33
PID 2524 wrote to memory of 2308	2524	2.exe	34
PID 2524 wrote to memory of 2308	2524	2.exe	34
PID 2524 wrote to memory of 2308	2524	2.exe	34

C:\Users\Admin\AppData\Local\Temp\solara.exe
"C:\Users\Admin\AppData\Local\Temp\solara.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\1.exe
  "C:\Windows\system32\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\1.exe
    "C:\Windows\system32\1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3036
- C:\Windows\2.exe
  "C:\Windows\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\2.exe
    "C:\Windows\2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2308
- C:\Users\Admin\AppData\Roaming\3.exe
  "C:\Users\Admin\AppData\Roaming\3.exe"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\solara.exe" >> NUL
  2⤵
  PID:280

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25242\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30402\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Windows\2.exe

Filesize
17.8MB

MD5
508508ff00167e689fae9110575e7268

SHA1
f8f1555cabbee2a52d7bc4cb554eba789b3f765e

SHA256
b97d84ba955cb20dd440a3de240807eefb22ab8bcbf695faff5f3c310c166b84

SHA512
3e54931d231077ce46b79d6afabc4a71216c0be9a0381800bfda287f81cba94bb4dc6327756cbd09ee466a582b9aa6fa4e7a5d4467225e0013e4cb1725b42c25

Download Submit
\Users\Admin\AppData\Roaming\3.exe

Filesize
9.5MB

MD5
b828a4d1a49574647d1bd6a6990334d7

SHA1
e35c99ecbefb1d7ce83f519d48098d1a3c005886

SHA256
b571568f26f4b1eb13265c1699d3aa9cc63448b1e4979ebfc7c5ec5617685528

SHA512
d2618681fb9dbf62276991bc89f05d02fb6ace08b0b51eb721d10d2dc1b222955b6cfc90eec3fbc3f7f38d7e6b6ffb720995f5dbf22eb18a39bd34badf8baff0

Download Submit
\Windows\SysWOW64\1.exe

Filesize
6.0MB

MD5
cb5176e91a32570a2238ef8f5f4b14e7

SHA1
4ad8ace051f9de10b58a29f3bd0703abeaa733bb

SHA256
b734831353a60b9ed46e0c700706964b6b6836bd3c1601e886eb5026cbbbf8c0

SHA512
7ff541f04e046b48b23da3c05824d8d06bdb2bc53db0433745ab64681f22b21f284cffaef539bfe527d5399a141b9764a74077c0674dc0e3a066f94d6919c78a

Download Submit
memory/1332-297-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1332-298-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1400-0-0x0000000000400000-0x000000000254D000-memory.dmp

Filesize
33.3MB

Download
memory/1400-163-0x0000000000400000-0x000000000254D000-memory.dmp

Filesize
33.3MB

Download
memory/2308-165-0x000007FEF5700000-0x000007FEF5B6E000-memory.dmp

Filesize
4.4MB

Download
memory/3036-32-0x000007FEF5B70000-0x000007FEF5FDE000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing