Overview

overview

10

Static

static

10

slinky/slinky.exe

windows11-21h2-x64

10

slinky/sli...ry.dll

windows11-21h2-x64

1

slinky/slinkyhook.dll

windows11-21h2-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    slinky.rar

  • Size

    26.1MB

  • Sample

    240723-krcf3sxdmc

  • MD5

    c02d06b6616e43e6a5b993ffd6e9ab02

  • SHA1

    69b0b00cbbf5f06eaf6da1d708c910146118613b

  • SHA256

    8e821d40a03bf219e4823ca648e19948ffe8a5e9d02c0917c61010d6d78fab65

  • SHA512

    d239c0600971f283917b64d4b081c1db9e6a12bd6ec565252906a00c7e4ca888a97a70e4647b6c16ea7eebaa63f8c3dd819120c89ad4ac3a1171c3562d73fbda

  • SSDEEP

    786432:GDR8xQWsib535X/elpmNnnFqbZ6dvXRs+:GGQWF5JX/efY5B

Score
10/10
skuldexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

skuld

C2

https://ptb.discord.com/api/webhooks/1262304792059969556/fyUPRB5FdDVKkteeBILMdxxwDztQAiGbPM8LGLyvygZZy-OC8qRpJvw9ZEofIWBHqRjM

Targets

    • Target

      slinky/slinky.exe

    • Size

      14.2MB

    • MD5

      408214e2e5474991acddca75350c23df

    • SHA1

      196aba366c6fefc2f9075a19186b47319cfd5c3a

    • SHA256

      854dda4311f184951a17cee9b36f40414c8b19808b96daff7b2139f446851a9a

    • SHA512

      171ce4c86cd38cff4403604698207f114b4834b8812de6803d73716fdb83bd72031576f47cb7a89a2203d123f3bc14288c2a229af5be5db3d64c3165fa3e6d8b

    • SSDEEP

      196608:7WJafoL/tUoTX4ZXbh1Yf0k7Ma/rkFlgdTaUrPPbdfw:7Wsfm/6bh1lkSFCdTauZo

    Score
    10/10
    skuldexecutionpersistenceprivilege_escalationspywarestealer

    • Skuld stealer

      An info stealer written in Go lang.

      stealerskuld

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1

    • Target

      slinky/slinky_library.dll

    • Size

      11.7MB

    • MD5

      f4f7eacab208d7b50d50f196bd3facd2

    • SHA1

      82ca056ecb89d1612df069a42952e077f7e079e1

    • SHA256

      4f35cfe4d051d56cc22dc2743024ffa0f3b4ee906b34c4336c72d71bc55de708

    • SHA512

      9b61bd125e066df121186057bcb163bfb3d8fb9ff3447963df0e9b14ab57fdf6a8d1faf61a5e75dc3e53425f541bb624b9d8b787e322ea6b675489d532b8f001

    • SSDEEP

      3:WAYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYw:z

    Score
    1/10
    behavioral2

    • Target

      slinky/slinkyhook.dll

    • Size

      228KB

    • MD5

      6d8c17c67970cb5841811eed8adffffc

    • SHA1

      c869ab32318a035e51aff8e5e11b4cd25fb52a4f

    • SHA256

      7c4234fac3b6b3e96dace1e71c7a952ec67e3839f90f7a88a9ea283bf88d25b8

    • SHA512

      7d2a0ffcd72c8bf4a96b2ed722d7119749ec14f5d7e6a601cb6ae4a5b1c4a652b694158f01da340e3ca4751cabd0a56c42bf739d8b421e36937f3691b3b80c72

    • SSDEEP

      3072:hXxN1I6PgabbAzVxPLI5oIa5amK/1o4ptgELHY1lNyc+m+e7P26g66OVuknsDe0u:hhN1GFZq/15tFc+m97ieuknsDu

    Score
    1/10
    behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Tasks