General

  • Target

    2024-08-31_981533db8f7a278a44d522ed85636f43_ngrbot_poet-rat_snatch

  • Size

    9.9MB

  • Sample

    240831-bpk6rsxcrf

  • MD5

    981533db8f7a278a44d522ed85636f43

  • SHA1

    6d124496fca65881e44b97258bdd37d73a3ffaa1

  • SHA256

    a5547a4572d2acca8ce33dc9b2e1a05419370550ebcbbad7150180b633bbd3d4

  • SHA512

    4963db510432625ac34e7fc90a8018cfd7284940da180aaf0af07e14699a2c97d246b495f863ed79e7f16bb1563e7eb0e4298069b1f47e68733de846ae1ab3d0

  • SSDEEP

    98304:AEviWIjraQ4Gzv+igMgiiIHZiBI8EFICafZmyjsEHjY:AgIjraQoCgiiI5iy1k3jY

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1278759490937688074/UywOde-HC_XdyhvbIDhuctOR880XRj5ROecJB_CQFRJwRJdEQ64XUdz_LksGCTmAyt1y

Targets

    • Target

      2024-08-31_981533db8f7a278a44d522ed85636f43_ngrbot_poet-rat_snatch

    • Size

      9.9MB

    • MD5

      981533db8f7a278a44d522ed85636f43

    • SHA1

      6d124496fca65881e44b97258bdd37d73a3ffaa1

    • SHA256

      a5547a4572d2acca8ce33dc9b2e1a05419370550ebcbbad7150180b633bbd3d4

    • SHA512

      4963db510432625ac34e7fc90a8018cfd7284940da180aaf0af07e14699a2c97d246b495f863ed79e7f16bb1563e7eb0e4298069b1f47e68733de846ae1ab3d0

    • SSDEEP

      98304:AEviWIjraQ4Gzv+igMgiiIHZiBI8EFICafZmyjsEHjY:AgIjraQoCgiiI5iy1k3jY

    • Skuld stealer

      An info stealer written in Go lang.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks