Extracted

• • Target

    2024-07-01_bb5921e2714c9a4afd6c0aff97232bbf_ngrbot_poet-rat_snatch

  • Size

    14.2MB

  • MD5

    bb5921e2714c9a4afd6c0aff97232bbf

  • SHA1

    2bd83915a20790ccd72d478941d10deb6c5bb0dd

  • SHA256

    c8b75435bb5a12a9394b187e861900f0898682ed1ad9bfcae19d43fd6ecaae1c

  • SHA512

    c97a5152d68d2aee74eb5a69a9fe6cdda875ed614c44b21142a2a519a88d8f2239613b7de31c9201a184a62d6ec3096a45eb565976ab726078d6e42e4c5fa758

  • SSDEEP

    196608:qFIAsZlG9mvLSbPpfrw1Hzhj3OTc6sB/0fSpwA:qFnsjaPOxhmcvES

  Score

  10^/10

  skuldexecutionpersistenceprivilege_escalationspywarestealer

  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld

  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables Discord URL observed in first stage droppers

  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers

  • Detects executables containing URLs to raw contents of a Github gist

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Drops file in Drivers directory

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2