skuld | fd27388ee0e064cc6c28557ced21dd581e98938449e1fa90e77de6961665f8db

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skuld-main.exe
Size

3.9MB
MD5

aa6ab61ffec1cadb1f1fb9e409434d23
SHA1

36d9bcca5162c35b0d12955c22bd913a91f20d61
SHA256

fd27388ee0e064cc6c28557ced21dd581e98938449e1fa90e77de6961665f8db
SHA512

f0017002feb946a901ac363e60f87ed175926992a4369a1fa1b59ccea1e36d46b5488a76c035566605f4388b015d4e9239c0d968c83b9399efd19e96818d0c52
SSDEEP

98304:tx64YRFYsecOWle37HUjioDRo/Kjaf2kSsTUGqgytme:j2n2xtoDi/KxkSsoGxytD

Score

10^/10

skuld discovery stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1265956205906628731/Y_WgTtyzaKLbQcu0jVUZk_qjmhbdb-o-FFozTVe1v1qJKkXESHWP7QheBcgcIowtOtQp

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Executes dropped EXE 2 IoCs

pid	Process
2292	skuld.sfx.exe
2864	skuld.exe

Loads dropped DLL 4 IoCs

pid	Process
2108	cmd.exe
2292	skuld.sfx.exe
2292	skuld.sfx.exe
2772	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skuld.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skuld-main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2108	756	skuld-main.exe	31
PID 756 wrote to memory of 2108	756	skuld-main.exe	31
PID 756 wrote to memory of 2108	756	skuld-main.exe	31
PID 756 wrote to memory of 2108	756	skuld-main.exe	31
PID 2108 wrote to memory of 2292	2108	cmd.exe	33
PID 2108 wrote to memory of 2292	2108	cmd.exe	33
PID 2108 wrote to memory of 2292	2108	cmd.exe	33
PID 2108 wrote to memory of 2292	2108	cmd.exe	33
PID 2292 wrote to memory of 2864	2292	skuld.sfx.exe	34
PID 2292 wrote to memory of 2864	2292	skuld.sfx.exe	34
PID 2292 wrote to memory of 2864	2292	skuld.sfx.exe	34
PID 2292 wrote to memory of 2864	2292	skuld.sfx.exe	34

C:\Users\Admin\AppData\Local\Temp\skuld-main.exe
"C:\Users\Admin\AppData\Local\Temp\skuld-main.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\helper.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.sfx.exe
    skuld.sfx.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe"
      4⤵
      Executes dropped EXE
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\helper.bat

Filesize
19B

MD5
d26173d979a9427cb2d59478382db58b

SHA1
6a4834c27726aebad506434465485dbf594b92c2

SHA256
78b08486655044ecdbb7d710b895830469ba8ca48ee4bc32b721e83f0f4f2905

SHA512
04f3ddab7158e5faa4eefc84fc90ca7669d34fbd6770f4debb03bc582267000599a24f619b383efa719cc7bf64e2a845316167389ea3b92471dda659202621c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.sfx.exe

Filesize
3.7MB

MD5
c22852523a7ecfc152e31ab535e02fd2

SHA1
bfd7e15bb7a0ab28b7a6b21124bc963dc09ecbb8

SHA256
a94ea7310ba474d5e22faf966dc930915b18d2d54178f2ae31af20156ea9360a

SHA512
eaceef152e9fdcea1a2b04ad0bc828dd72ea90b703466c65baf5ba04391c628acd5509c79801019fc779105b0ae27c62f84b5a259e20ad8bcaf014bce519e246

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe

Filesize
9.5MB

MD5
8b072fa6dc2293e8fc4c79a4c9186886

SHA1
dc62f8da50e79c32042523062bfaa12f3179c796

SHA256
72614853b5345d3672df3e26a1ad39df61c87d882e40503651a9f237472c018d

SHA512
77346cbde03e6b1c60c776f5365ed24c784291b3b89ca21d1f0ccdc7c0a7e24e6a0816373d95ccea9f172e30a674726ea7fae48cd35c7c2dd4ca1a909a9e1636

Download Submit