General

  • Target

    skuld.exe

  • Size

    9.5MB

  • Sample

    240812-yt2qmsxejp

  • MD5

    be584034b9b06487721108efe39cc217

  • SHA1

    960cec80e5748fa175e6ceed0d92a11a718bb95d

  • SHA256

    bc9b9fae57672ab78e34ffba0b18b44ae9808805a92937367aa12e4b8c6cf83f

  • SHA512

    9d837893804e664db431de59af5394b6e244c5a0272d164178d0098e50d5b3c595e66dde7c5b5ca6ea145d2baec99f17588efbbc62f8f4cb34db49b6e601d12a

  • SSDEEP

    98304:Uz8Fycul++xeGfI+lxeViddGhqE1bDBFX7Qxj:locul++LlxeVQdGl1gxj

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1157643419297009715/QWD1uALjuRR3wtFAUR85eJpOlRMjDI3SomoeSsu5bbnage2Qh8OCdrk2xaSc-m5phEqW

Targets

    • Target

      skuld.exe

    • Size

      9.5MB

    • MD5

      be584034b9b06487721108efe39cc217

    • SHA1

      960cec80e5748fa175e6ceed0d92a11a718bb95d

    • SHA256

      bc9b9fae57672ab78e34ffba0b18b44ae9808805a92937367aa12e4b8c6cf83f

    • SHA512

      9d837893804e664db431de59af5394b6e244c5a0272d164178d0098e50d5b3c595e66dde7c5b5ca6ea145d2baec99f17588efbbc62f8f4cb34db49b6e601d12a

    • SSDEEP

      98304:Uz8Fycul++xeGfI+lxeViddGhqE1bDBFX7Qxj:locul++LlxeVQdGl1gxj

    • Skuld stealer

      An info stealer written in Go lang.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks