General

  • Target

    2024090806bba3de6cb897291a87e25dc1fb1348ngrbotpoetratsnatch

  • Size

    9.8MB

  • Sample

    240908-kwfz3axajn

  • MD5

    06bba3de6cb897291a87e25dc1fb1348

  • SHA1

    d6cee17ed905c50444389c1a856cffcb97ba7e51

  • SHA256

    d9e5cd6540b2b079303ece88e64defd80f86b4b61d83f17e0e935cff94d44734

  • SHA512

    044f9fc795255c1e79d2f1bcf5639eb6ce7a8d936f011a2da62c411c8b443fa4c51d6b0baff5fb233c23cb41ff465b5687bfd474e7ab7861edc291fcf4bad543

  • SSDEEP

    98304:AOYVw4GTh3/cwrBz9HJGalTbCekYTGMCBEXOTThZ4zzF:AW9h3/1walTbfkYTGMCC+szF

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1259097566084071475/ipsUcitO2Ssgzt0fWfy20DeLTo9uhG0Z863sOZgL2tjvYoK90r6Aeaf2NWiQQBpL2gfj

Targets

    • Target

      2024090806bba3de6cb897291a87e25dc1fb1348ngrbotpoetratsnatch

    • Size

      9.8MB

    • MD5

      06bba3de6cb897291a87e25dc1fb1348

    • SHA1

      d6cee17ed905c50444389c1a856cffcb97ba7e51

    • SHA256

      d9e5cd6540b2b079303ece88e64defd80f86b4b61d83f17e0e935cff94d44734

    • SHA512

      044f9fc795255c1e79d2f1bcf5639eb6ce7a8d936f011a2da62c411c8b443fa4c51d6b0baff5fb233c23cb41ff465b5687bfd474e7ab7861edc291fcf4bad543

    • SSDEEP

      98304:AOYVw4GTh3/cwrBz9HJGalTbCekYTGMCBEXOTThZ4zzF:AW9h3/1walTbfkYTGMCC+szF

    • Skuld stealer

      An info stealer written in Go lang.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks