skuld | f0ebd6bc574a3b23763967a1fa8b7edbeb4b13502419fa4019c31e2acde87273 | Triage

Submit
Reports

Overview

overview

Static

static

2024-06-29...ch.exe

windows7-x64

1

2024-06-29...ch.exe

windows10-2004-x64

Sharing

General

Target

2024-06-29_248e06de3a6ac2d19680e7b8367a0838_ngrbot_poet-rat_snatch
Size

9.5MB
Sample

240629-zya9xswejc
MD5

248e06de3a6ac2d19680e7b8367a0838
SHA1

4c9d8fb42e515a8e4568b0f81ba2d43d0283347e
SHA256

f0ebd6bc574a3b23763967a1fa8b7edbeb4b13502419fa4019c31e2acde87273
SHA512

1c704e6d1210e16c5edbbead5f6be41db7ec88e3df7564ee934981e426ae52f4756b748ca5fea6e047ed0fe3ece650f76a84bdac166aaa2c4ac3b7ee299d9eb3
SSDEEP

98304:MV5Y4P6vQBpwXgOlx8UJEZMFZEMaMFQvpI3:XW6vQ8d8UJE+F6MKpI3

Score

10^/10

skuld persistence stealer

Static task

static1

9 signatures

Behavioral task

behavioral1

Sample

2024-06-29_248e06de3a6ac2d19680e7b8367a0838_ngrbot_poet-rat_snatch.exe

Resource

win7-20240220-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

2024-06-29_248e06de3a6ac2d19680e7b8367a0838_ngrbot_poet-rat_snatch.exe

Resource

win10v2004-20240508-en

skuld persistence stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1256339936106250333/XZw5Fee-OugH38eS3L98gI1PeWaL0YqUwqfnI7vL56W_VPoXPmdxDfMlhU1JoWZQ3MAC

Targets

- Target
  
  2024-06-29_248e06de3a6ac2d19680e7b8367a0838_ngrbot_poet-rat_snatch
- Size
  
  9.5MB
- MD5
  
  248e06de3a6ac2d19680e7b8367a0838
- SHA1
  
  4c9d8fb42e515a8e4568b0f81ba2d43d0283347e
- SHA256
  
  f0ebd6bc574a3b23763967a1fa8b7edbeb4b13502419fa4019c31e2acde87273
- SHA512
  
  1c704e6d1210e16c5edbbead5f6be41db7ec88e3df7564ee934981e426ae52f4756b748ca5fea6e047ed0fe3ece650f76a84bdac166aaa2c4ac3b7ee299d9eb3
- SSDEEP
  
  98304:MV5Y4P6vQBpwXgOlx8UJEZMFZEMaMFQvpI3:XW6vQ8d8UJE+F6MKpI3
Score

10^/10

skuld persistence stealer
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables Discord URL observed in first stage droppers
- Detects executables containing SQL queries to confidential data stores. Observed in infostealers
- Detects executables containing URLs to raw contents of a Github gist
- Detects executables containing possible sandbox system UUIDs
- Detects executables referencing virtualization MAC addresses
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

skuldpersistencestealer

© 2018-2025

Terms | Privacy