skuld | a2ce7baa72bb51468a0e92846530a8adc036fbf7ecdaaa40d0b68e86bb0d23e0

General

Target

skuld.sfx.exe
Size

3.7MB
Sample

240726-rkl59ssfrl
MD5

69f045b706e34f7b013a1b3ef972b1f2
SHA1

0078959f87e4de4735def1ee9fcd99592757000b
SHA256

a2ce7baa72bb51468a0e92846530a8adc036fbf7ecdaaa40d0b68e86bb0d23e0
SHA512

294557695432f1c09e464c012ab330ca494fa9055c946e07b38723821e21ca646cf733a335bc29f343ba7b3c2eb18e51760bb7e7553682d9d315d38762eb9acd
SSDEEP

49152:t84a+Ka/iNj4WLG1cNLsvhZmKrniMrbokZPVuJqfK8eyl5LVPELrG0GR7Efp:tEXFegvKdYkZPYJoqyl5xPaNfp

Score

10^/10

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1266323703936057355/RcZ4i7xtRnR9TI9igA9_Cyhc-8yXb2ttFBlD8urPmC8e1TbC6EGbQFWCJpC4NeNhKbL9

Targets

- Target
  
  skuld.sfx.exe
- Size
  
  3.7MB
- MD5
  
  69f045b706e34f7b013a1b3ef972b1f2
- SHA1
  
  0078959f87e4de4735def1ee9fcd99592757000b
- SHA256
  
  a2ce7baa72bb51468a0e92846530a8adc036fbf7ecdaaa40d0b68e86bb0d23e0
- SHA512
  
  294557695432f1c09e464c012ab330ca494fa9055c946e07b38723821e21ca646cf733a335bc29f343ba7b3c2eb18e51760bb7e7553682d9d315d38762eb9acd
- SSDEEP
  
  49152:t84a+Ka/iNj4WLG1cNLsvhZmKrniMrbokZPVuJqfK8eyl5LVPELrG0GR7Efp:tEXFegvKdYkZPYJoqyl5xPaNfp
Score

10^/10

skuld discovery stealer credential_access defense_evasion execution persistence privilege_escalation spyware
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2