skuld | dc4456eec751dfe2f25ff3e12196946125aa58d02e9a7e36e9d4766619b5df60

General

Target

2024-06-29_1f003bf8e52d99ddc8c2bfc84079e972_ngrbot_poet-rat_snatch
Size

9.5MB
Sample

240630-ady3tazeja
MD5

1f003bf8e52d99ddc8c2bfc84079e972
SHA1

8183c8c99994c61a2325d2754ed3c3c542f530bc
SHA256

dc4456eec751dfe2f25ff3e12196946125aa58d02e9a7e36e9d4766619b5df60
SHA512

16c4898dcc1595828857db527fe448838252391f41267b16d114917bbb65e668de199d0cdc6a655a1ed892840ea57ca60acc50c4bb193d96073c1258ec636cc5
SSDEEP

98304:a0uCF1r4MA99QQjCvVwPIieO7Xu8EeszsFgLxUf6:iEr4MAQ3wPIiemXu1eszWf

Score

10^/10

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1256140256961495122/gnXwT1RtJefxydjWJvbW-qe1kNMzqMizyxsPM720IrOqd8beoRpBI109eMZvZmnGVus3

Targets

- Target
  
  2024-06-29_1f003bf8e52d99ddc8c2bfc84079e972_ngrbot_poet-rat_snatch
- Size
  
  9.5MB
- MD5
  
  1f003bf8e52d99ddc8c2bfc84079e972
- SHA1
  
  8183c8c99994c61a2325d2754ed3c3c542f530bc
- SHA256
  
  dc4456eec751dfe2f25ff3e12196946125aa58d02e9a7e36e9d4766619b5df60
- SHA512
  
  16c4898dcc1595828857db527fe448838252391f41267b16d114917bbb65e668de199d0cdc6a655a1ed892840ea57ca60acc50c4bb193d96073c1258ec636cc5
- SSDEEP
  
  98304:a0uCF1r4MA99QQjCvVwPIieO7Xu8EeszsFgLxUf6:iEr4MAQ3wPIiemXu1eszWf
Score

10^/10

skuld execution persistence privilege_escalation spyware stealer
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables Discord URL observed in first stage droppers
- Detects executables containing SQL queries to confidential data stores. Observed in infostealers
- Detects executables containing URLs to raw contents of a Github gist
- Detects executables containing possible sandbox system UUIDs
- Detects executables referencing virtualization MAC addresses
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2