General

  • Target

    d4e96fc18fb6bc975d95324f51069f5ca007334fcfd55a2c97abbbcaadac4995

  • Size

    9.9MB

  • Sample

    240824-kyd89asema

  • MD5

    d00d98a03bd9a78b7ce8f77ede918b7e

  • SHA1

    c9e7ed612aa1900f972c5c26f715c0198d32e953

  • SHA256

    d4e96fc18fb6bc975d95324f51069f5ca007334fcfd55a2c97abbbcaadac4995

  • SHA512

    e99a44a030f92af338d8c095ca2f10e4d1b1823545fa5af8cde8de6bb6242632d3ffff5995a3577aa0a75bd731303438030034136cc5f7116e69ccbe64199db3

  • SSDEEP

    98304:L+v2sRfLrPSt6t/GKBvhi3DKeaJOzE7ICafZmejsEYjx:ShfLrPS9Shi3D9aEg2wjx

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1275305712578330737/ZalWpwJCemRihEDHYR7eDBQulhrbujH6uOKIzKIC7c3ieh5gpbHX77qCSy-LcQ1k8T7_

Targets

    • Target

      d4e96fc18fb6bc975d95324f51069f5ca007334fcfd55a2c97abbbcaadac4995

    • Size

      9.9MB

    • MD5

      d00d98a03bd9a78b7ce8f77ede918b7e

    • SHA1

      c9e7ed612aa1900f972c5c26f715c0198d32e953

    • SHA256

      d4e96fc18fb6bc975d95324f51069f5ca007334fcfd55a2c97abbbcaadac4995

    • SHA512

      e99a44a030f92af338d8c095ca2f10e4d1b1823545fa5af8cde8de6bb6242632d3ffff5995a3577aa0a75bd731303438030034136cc5f7116e69ccbe64199db3

    • SSDEEP

      98304:L+v2sRfLrPSt6t/GKBvhi3DKeaJOzE7ICafZmejsEYjx:ShfLrPS9Shi3D9aEg2wjx

    • Skuld stealer

      An info stealer written in Go lang.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks