skuld | daf5ea8c5e1f7bdf0a5f12c8671b14642d6e3349390629da9f7dc754e610fafd

General

Target

2024-06-26_3df7235123bbc4c52d379fe372ac0045_ngrbot_poet-rat_snatch
Size

9.5MB
Sample

240626-a7b55sxamk
MD5

3df7235123bbc4c52d379fe372ac0045
SHA1

da818e86cf02fffcacbe468b8bb63e7a1da91ad9
SHA256

daf5ea8c5e1f7bdf0a5f12c8671b14642d6e3349390629da9f7dc754e610fafd
SHA512

a3f86b6a3afe12098f503edcc96c585b8fef60fd23dcb03653888c8e63e977f8d4b23fc8803acfc41f59f8923401ab7978342c4b9e7fd7a0357070950d7d0558
SSDEEP

98304:FcJW4J6EdbyvYB8LY0iyo4tTEyzxqFgzC13h:QnJ6EIwAY0iyrtAyzPC13h

Score

10^/10

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1238433893808607232/L-4VX5UhdUB3u0Rm9Q2PK-IFjyExOgtlCYofIfDjLcneVNTB6DlwIRxcFxSylsPnZ2GS

Targets

- Target
  
  2024-06-26_3df7235123bbc4c52d379fe372ac0045_ngrbot_poet-rat_snatch
- Size
  
  9.5MB
- MD5
  
  3df7235123bbc4c52d379fe372ac0045
- SHA1
  
  da818e86cf02fffcacbe468b8bb63e7a1da91ad9
- SHA256
  
  daf5ea8c5e1f7bdf0a5f12c8671b14642d6e3349390629da9f7dc754e610fafd
- SHA512
  
  a3f86b6a3afe12098f503edcc96c585b8fef60fd23dcb03653888c8e63e977f8d4b23fc8803acfc41f59f8923401ab7978342c4b9e7fd7a0357070950d7d0558
- SSDEEP
  
  98304:FcJW4J6EdbyvYB8LY0iyo4tTEyzxqFgzC13h:QnJ6EIwAY0iyrtAyzPC13h
Score

10^/10

skuld execution persistence privilege_escalation spyware stealer
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables Discord URL observed in first stage droppers
- Detects executables containing SQL queries to confidential data stores. Observed in infostealers
- Detects executables containing URLs to raw contents of a Github gist
- Detects executables containing possible sandbox system UUIDs
- Detects executables referencing virtualization MAC addresses
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2