Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 19:49

General

  • Target

    2024-06-28_1be94157b0913505663b33e385fc661a_ngrbot_poet-rat_snatch.exe

  • Size

    9.5MB

  • MD5

    1be94157b0913505663b33e385fc661a

  • SHA1

    7d0166709d002b7669ef738eee92b54d03959835

  • SHA256

    1782797f8874cb105549a70054fd5dfe41b9e24c685602782119ff01c583a18c

  • SHA512

    0798082cad2988ae649bf57cd58c41db6173b7119c42299bc94d67f8d163bdd0b34463da159dcd6c44bc940199c7a4fb56945559b83dc9b33538bb387287b61e

  • SSDEEP

    98304:p0uCF1r4MA99QQjCvVwPIieO7XubEeszsFgLxUf6:rEr4MAQ3wPIiemXuIeszWf

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1256150041513562143/LfrA9YKj_eB7YuAhTIl0O-spiEIkK-M3AYcBofAqSotskvUIB1bZRSbod7TXYgA7oLQp

Signatures

  • Skuld stealer

    An info stealer written in Go lang.

  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables Discord URL observed in first stage droppers 1 IoCs
  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 1 IoCs
  • Detects executables containing possible sandbox system UUIDs 1 IoCs
  • Detects executables referencing virtualization MAC addresses 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 13 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-28_1be94157b0913505663b33e385fc661a_ngrbot_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-28_1be94157b0913505663b33e385fc661a_ngrbot_poet-rat_snatch.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-06-28_1be94157b0913505663b33e385fc661a_ngrbot_poet-rat_snatch.exe
      2⤵
      • Views/modifies file attributes
      PID:2056
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      2⤵
      • Views/modifies file attributes
      PID:1440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

    Filesize

    9.5MB

    MD5

    1be94157b0913505663b33e385fc661a

    SHA1

    7d0166709d002b7669ef738eee92b54d03959835

    SHA256

    1782797f8874cb105549a70054fd5dfe41b9e24c685602782119ff01c583a18c

    SHA512

    0798082cad2988ae649bf57cd58c41db6173b7119c42299bc94d67f8d163bdd0b34463da159dcd6c44bc940199c7a4fb56945559b83dc9b33538bb387287b61e