General

  • Target

    Terbium 1.2.exe

  • Size

    9.5MB

  • Sample

    240711-dc4tfsvfjr

  • MD5

    df00bc36e9b00874ff8f495a29d9f429

  • SHA1

    3f3140a188943673e7b90b819005548042c9b675

  • SHA256

    27e10c80006f2080f85b3b9aff0d165044d1954385ea16d6e48dabaa6a1ec5af

  • SHA512

    c79ce66d9c73e64cc3060437bf9d2f9f3f17067b0e4ebb8b30d4863ec417ad1f95c315810168d34058f82804ca59a1d8f442d81c265e57dc330670025b152f88

  • SSDEEP

    98304:YVMHJFAvLQWabWp2le10+9XTA8E6oMsaSk5e/UI:PFAvLCev10+9DA16oM1e/UI

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1260739914253991956/NKvC4KymlhPTNJNmbkQtDwm5AXdtAESkrV95KgMKN5kz9Z_06X949ZzR7jGGnoW0AnBX

Targets

    • Target

      Terbium 1.2.exe

    • Size

      9.5MB

    • MD5

      df00bc36e9b00874ff8f495a29d9f429

    • SHA1

      3f3140a188943673e7b90b819005548042c9b675

    • SHA256

      27e10c80006f2080f85b3b9aff0d165044d1954385ea16d6e48dabaa6a1ec5af

    • SHA512

      c79ce66d9c73e64cc3060437bf9d2f9f3f17067b0e4ebb8b30d4863ec417ad1f95c315810168d34058f82804ca59a1d8f442d81c265e57dc330670025b152f88

    • SSDEEP

      98304:YVMHJFAvLQWabWp2le10+9XTA8E6oMsaSk5e/UI:PFAvLCev10+9DA16oM1e/UI

    • Skuld stealer

      An info stealer written in Go lang.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks