General

  • Target

    Pluxis Brute Force.exe

  • Size

    9.9MB

  • Sample

    240826-281zfasbqj

  • MD5

    dfbee94bf50c02ac6a0af22db1080c4d

  • SHA1

    77628f0f12a46c23969a7ae27a54d46d9c69e406

  • SHA256

    12b3fbd52032a35122f10e38bf713b3b9ce4257820e83ae69ce345b4a6b52f67

  • SHA512

    f5c1f94977ca1aac0c446b2ce26d03295af01db3566965885f9cf17baf169bb87f651967656473f7e4d4ac572a848c9dc8f7fff087304b8f855fa3c3aaaa2d1b

  • SSDEEP

    98304:LQI9wzKxmhMIIKfGTibiyCC9cE8yECICafZm7jsEjjd:LIzKxmhhtbiyCicDffwjd

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1277693402128842752/GL2sVurL98MJ9mr9KPKGQzwZrf6F5zrTCtpQZNf79Io8RVW2QqbWxNycbicDXEjHHL_R

Targets

    • Target

      Pluxis Brute Force.exe

    • Size

      9.9MB

    • MD5

      dfbee94bf50c02ac6a0af22db1080c4d

    • SHA1

      77628f0f12a46c23969a7ae27a54d46d9c69e406

    • SHA256

      12b3fbd52032a35122f10e38bf713b3b9ce4257820e83ae69ce345b4a6b52f67

    • SHA512

      f5c1f94977ca1aac0c446b2ce26d03295af01db3566965885f9cf17baf169bb87f651967656473f7e4d4ac572a848c9dc8f7fff087304b8f855fa3c3aaaa2d1b

    • SSDEEP

      98304:LQI9wzKxmhMIIKfGTibiyCC9cE8yECICafZm7jsEjjd:LIzKxmhhtbiyCicDffwjd

    • Skuld stealer

      An info stealer written in Go lang.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks