skuld | 2e51450798aff51ee9ba71eafc8a69ed80c297fa7fe2d6012ae09fb90b08b598

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skuld123.exe
Size

3.9MB
MD5

b8ba9d8feae82a691ff8df9aa38ebc00
SHA1

987402605449de55bf216ecc8fadf27ef6a10f4a
SHA256

2e51450798aff51ee9ba71eafc8a69ed80c297fa7fe2d6012ae09fb90b08b598
SHA512

da5b185fbea0ea2b9af0c5ac08ef0d47c976e9adf25a55025504fea3953357129c972324ccaa0e7cc740ef971508722614098c84ac0703900f7f7cc83acf60e5
SSDEEP

98304:tg64YRFYsecOWle37HUjioDRo/Kjaf2kSsTUGqgytme:e2n2xtoDi/KxkSsoGxytP

Score

10^/10

skuld discovery stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1265956205906628731/Y_WgTtyzaKLbQcu0jVUZk_qjmhbdb-o-FFozTVe1v1qJKkXESHWP7QheBcgcIowtOtQp

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Executes dropped EXE 2 IoCs

pid	Process
2760	skuld.sfx.exe
2728	skuld.exe

Loads dropped DLL 6 IoCs

pid	Process
2652	skuld123.exe
2652	skuld123.exe
2652	skuld123.exe
2760	skuld.sfx.exe
2760	skuld.sfx.exe
2648	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skuld123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skuld.sfx.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2760	2652	skuld123.exe	30
PID 2652 wrote to memory of 2760	2652	skuld123.exe	30
PID 2652 wrote to memory of 2760	2652	skuld123.exe	30
PID 2652 wrote to memory of 2760	2652	skuld123.exe	30
PID 2760 wrote to memory of 2728	2760	skuld.sfx.exe	31
PID 2760 wrote to memory of 2728	2760	skuld.sfx.exe	31
PID 2760 wrote to memory of 2728	2760	skuld.sfx.exe	31
PID 2760 wrote to memory of 2728	2760	skuld.sfx.exe	31

C:\Users\Admin\AppData\Local\Temp\skuld123.exe
"C:\Users\Admin\AppData\Local\Temp\skuld123.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.sfx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe"
    3⤵
    - Executes dropped EXE
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe

Filesize
9.5MB

MD5
8b072fa6dc2293e8fc4c79a4c9186886

SHA1
dc62f8da50e79c32042523062bfaa12f3179c796

SHA256
72614853b5345d3672df3e26a1ad39df61c87d882e40503651a9f237472c018d

SHA512
77346cbde03e6b1c60c776f5365ed24c784291b3b89ca21d1f0ccdc7c0a7e24e6a0816373d95ccea9f172e30a674726ea7fae48cd35c7c2dd4ca1a909a9e1636

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.sfx.exe

Filesize
3.7MB

MD5
c22852523a7ecfc152e31ab535e02fd2

SHA1
bfd7e15bb7a0ab28b7a6b21124bc963dc09ecbb8

SHA256
a94ea7310ba474d5e22faf966dc930915b18d2d54178f2ae31af20156ea9360a

SHA512
eaceef152e9fdcea1a2b04ad0bc828dd72ea90b703466c65baf5ba04391c628acd5509c79801019fc779105b0ae27c62f84b5a259e20ad8bcaf014bce519e246

Download Submit