skuld | a94ea7310ba474d5e22faf966dc930915b18d2d54178f2ae31af20156ea9360a

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skuld.sfx.exe
Size

3.7MB
MD5

c22852523a7ecfc152e31ab535e02fd2
SHA1

bfd7e15bb7a0ab28b7a6b21124bc963dc09ecbb8
SHA256

a94ea7310ba474d5e22faf966dc930915b18d2d54178f2ae31af20156ea9360a
SHA512

eaceef152e9fdcea1a2b04ad0bc828dd72ea90b703466c65baf5ba04391c628acd5509c79801019fc779105b0ae27c62f84b5a259e20ad8bcaf014bce519e246
SSDEEP

98304:tVBHStoOEyvuShmCYhCaZfcvscTzhDDh9e5jqbP6:DBHSSOZuBC4C0kv3NDhMdqC

Score

10^/10

skuld discovery stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1265956205906628731/Y_WgTtyzaKLbQcu0jVUZk_qjmhbdb-o-FFozTVe1v1qJKkXESHWP7QheBcgcIowtOtQp

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Executes dropped EXE 1 IoCs

Processes:

skuld.exe

pid	Process
2700	skuld.exe

Loads dropped DLL 3 IoCs

Processes:

skuld.sfx.exe

pid	Process
2676	skuld.sfx.exe
2676	skuld.sfx.exe
2656

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

skuld.sfx.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skuld.sfx.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

skuld.sfx.exe

description	pid	Process	procid_target
PID 2676 wrote to memory of 2700	2676	skuld.sfx.exe	30
PID 2676 wrote to memory of 2700	2676	skuld.sfx.exe	30
PID 2676 wrote to memory of 2700	2676	skuld.sfx.exe	30
PID 2676 wrote to memory of 2700	2676	skuld.sfx.exe	30

C:\Users\Admin\AppData\Local\Temp\skuld.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\skuld.sfx.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\skuld.exe
  "C:\Users\Admin\AppData\Local\Temp\skuld.exe"
  2⤵
  - Executes dropped EXE
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\skuld.exe

Filesize
9.5MB

MD5
8b072fa6dc2293e8fc4c79a4c9186886

SHA1
dc62f8da50e79c32042523062bfaa12f3179c796

SHA256
72614853b5345d3672df3e26a1ad39df61c87d882e40503651a9f237472c018d

SHA512
77346cbde03e6b1c60c776f5365ed24c784291b3b89ca21d1f0ccdc7c0a7e24e6a0816373d95ccea9f172e30a674726ea7fae48cd35c7c2dd4ca1a909a9e1636

Download Submit