skuld | 16514b9943804dea4b5781388885abbc4a6132867444405816a76399d56bdc90

General

Target

saturnx.exe
Size

9.5MB
Sample

240812-ry4bpsvgpq
MD5

1efe9696fbd52aec72f56312fa0c984f
SHA1

b8b974959c744e6c68ab5cc7cceaa676cf8a8d6f
SHA256

16514b9943804dea4b5781388885abbc4a6132867444405816a76399d56bdc90
SHA512

8d29068c0be8b5cc41c5e6578c3e923fe22f703b224301e586c85797278289ac23a0f18897c2ab146e6bfef140ee8cc91d04dd8a80c9cd1c0ba0844073ff5625
SSDEEP

98304:wLNkPQbfzcsr+zUxkol+6VHMklE/BU7F/Bz2WIb:wOSfzHkol+MHMkW/BEZIb

Score

10^/10

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1264169187568259117/AQdbcBouvWxeCMV3MoSPfcwrIMWOrqG8LaB0nuXhmBw2kXbOYgLzltm0JWd0v2AIvo3z

Targets

- Target
  
  saturnx.exe
- Size
  
  9.5MB
- MD5
  
  1efe9696fbd52aec72f56312fa0c984f
- SHA1
  
  b8b974959c744e6c68ab5cc7cceaa676cf8a8d6f
- SHA256
  
  16514b9943804dea4b5781388885abbc4a6132867444405816a76399d56bdc90
- SHA512
  
  8d29068c0be8b5cc41c5e6578c3e923fe22f703b224301e586c85797278289ac23a0f18897c2ab146e6bfef140ee8cc91d04dd8a80c9cd1c0ba0844073ff5625
- SSDEEP
  
  98304:wLNkPQbfzcsr+zUxkol+6VHMklE/BU7F/Bz2WIb:wOSfzHkol+MHMkW/BEZIb
Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2