General

  • Target

    2024-09-07_a146f565a83c579f2122c62837df68ed_ngrbot_poet-rat_snatch

  • Size

    9.5MB

  • Sample

    240907-3evq1atdlf

  • MD5

    a146f565a83c579f2122c62837df68ed

  • SHA1

    85d5fab557bbd0b6ea3ec497bd07ac109d84579c

  • SHA256

    f4cc7235432889822197a3fabe17452e0c8150bdbb2da659e8f78e3916e6714d

  • SHA512

    066a8addf4f993991d244c0936119fa978a83f2b18714d99c8fbf63f98be3c0f51c47b65139b059f04b3a1efb45e1a74311ea875126874929c0782288482e3c9

  • SSDEEP

    98304:Wg9b8rXQsZ2v2PWb9r3IN3qJW0EqHkF8Tl19yfO:tYXQsUdr3IN3AWNqF1If

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1256944791892000839/F0of6Tr0OIyJu_836owtLa25w8KhcnYpM2Hj8lo5yJc8Fyc0xlMT3t9q1KBvn_ccgDjA

Targets

    • Target

      2024-09-07_a146f565a83c579f2122c62837df68ed_ngrbot_poet-rat_snatch

    • Size

      9.5MB

    • MD5

      a146f565a83c579f2122c62837df68ed

    • SHA1

      85d5fab557bbd0b6ea3ec497bd07ac109d84579c

    • SHA256

      f4cc7235432889822197a3fabe17452e0c8150bdbb2da659e8f78e3916e6714d

    • SHA512

      066a8addf4f993991d244c0936119fa978a83f2b18714d99c8fbf63f98be3c0f51c47b65139b059f04b3a1efb45e1a74311ea875126874929c0782288482e3c9

    • SSDEEP

      98304:Wg9b8rXQsZ2v2PWb9r3IN3qJW0EqHkF8Tl19yfO:tYXQsUdr3IN3AWNqF1If

    • Skuld stealer

      An info stealer written in Go lang.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks