General

  • Target

    2024-07-02_a2b87e6a5c8aec79f8b654a929f8fcf5_ngrbot_poet-rat_snatch

  • Size

    9.5MB

  • Sample

    240702-llbg9swfjf

  • MD5

    a2b87e6a5c8aec79f8b654a929f8fcf5

  • SHA1

    a2ce30605679a7d71a4f2a8c23face1e03656f2a

  • SHA256

    4d7bfb4f771703f084916e2b4e45d58d1b4ef09aa202bf2ae14015bb9843c521

  • SHA512

    756d2f0b94514bef633453a9add5eb4e493b4c5c057e1e743979109bf76f64a010cac600b25fd8582b0e41e29274e6809c79ef6662daa3a0504cce1a2d6dec12

  • SSDEEP

    98304:dszauTezYYjzQ4U+pT9Ssz/4E3MHUFce3:6pTezfznpT9SI/x3MS3

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1252623698922442854/ObgznnI5RtU4sKRGNHA-YO9uAJPv_fG23fCD82lWzqky7fR9_OYpCVxZwFFprN-p3XQQ

Targets

    • Target

      2024-07-02_a2b87e6a5c8aec79f8b654a929f8fcf5_ngrbot_poet-rat_snatch

    • Size

      9.5MB

    • MD5

      a2b87e6a5c8aec79f8b654a929f8fcf5

    • SHA1

      a2ce30605679a7d71a4f2a8c23face1e03656f2a

    • SHA256

      4d7bfb4f771703f084916e2b4e45d58d1b4ef09aa202bf2ae14015bb9843c521

    • SHA512

      756d2f0b94514bef633453a9add5eb4e493b4c5c057e1e743979109bf76f64a010cac600b25fd8582b0e41e29274e6809c79ef6662daa3a0504cce1a2d6dec12

    • SSDEEP

      98304:dszauTezYYjzQ4U+pT9Ssz/4E3MHUFce3:6pTezfznpT9SI/x3MS3

    • Skuld stealer

      An info stealer written in Go lang.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks