Overview

overview

10

Static

static

3

2024-06-25...ch.exe

windows7-x64

1

2024-06-25...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2024 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-25_b828a4d1a49574647d1bd6a6990334d7_ngrbot_poet-rat_snatch.exe

  • Size

    9.5MB

  • MD5

    b828a4d1a49574647d1bd6a6990334d7

  • SHA1

    e35c99ecbefb1d7ce83f519d48098d1a3c005886

  • SHA256

    b571568f26f4b1eb13265c1699d3aa9cc63448b1e4979ebfc7c5ec5617685528

  • SHA512

    d2618681fb9dbf62276991bc89f05d02fb6ace08b0b51eb721d10d2dc1b222955b6cfc90eec3fbc3f7f38d7e6b6ffb720995f5dbf22eb18a39bd34badf8baff0

  • SSDEEP

    98304:hKTBQiVfr1oo2uvxXKWOwCu5eEgG8zSF8h2nR3:UjVfr1NKWOwj5bv8juR3

Score
10/10
skuldpersistencestealer

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1253312688864497665/375hzY1fiOjkE25L3-nbomdQUITdEzw5TbF9fCfxMycDpfz09qByG-R9KOpVUwhbMOaj

Signatures

  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-25_b828a4d1a49574647d1bd6a6990334d7_ngrbot_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-25_b828a4d1a49574647d1bd6a6990334d7_ngrbot_poet-rat_snatch.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4428
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-06-25_b828a4d1a49574647d1bd6a6990334d7_ngrbot_poet-rat_snatch.exe
      2⤵
      • Views/modifies file attributes
      PID:2528
    • C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3112
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      2⤵
      • Views/modifies file attributes
      PID:4740
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1084

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      Filesize

      9.5MB

      MD5

      b828a4d1a49574647d1bd6a6990334d7

      SHA1

      e35c99ecbefb1d7ce83f519d48098d1a3c005886

      SHA256

      b571568f26f4b1eb13265c1699d3aa9cc63448b1e4979ebfc7c5ec5617685528

      SHA512

      d2618681fb9dbf62276991bc89f05d02fb6ace08b0b51eb721d10d2dc1b222955b6cfc90eec3fbc3f7f38d7e6b6ffb720995f5dbf22eb18a39bd34badf8baff0

      Download Submit