General

  • Target

    host.exe

  • Size

    9.9MB

  • Sample

    240908-ngbzcatalm

  • MD5

    3c726a7bd511498158343416a139bd16

  • SHA1

    63853a4e3ab56f39298a866c1841f35c7e3b8294

  • SHA256

    60f59bb04aa894a837e1bb17af891d6c2965a7301ea8d21e026f0b6782f56463

  • SHA512

    7f53fd0df8e2df67287b952845f5875bc873bff0902556bfebdc33ef14a41c731d20ddab2b4e057dded1ca09cf19eb1ccea6a8d2fc1c0eaa7f2e62002e6269b7

  • SSDEEP

    98304:xQI9wzKxmhMIIKfGTibiyCC9cK8FE2ICafZmwjsEejd:xIzKxmhhtbiyCicR2DUjd

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1282265541553291357/p0QaUOI8cl7OBQT1cly0YVLoY-UjXuUOIVXp8Zk38Nmtn94LZo2OyTR9c6m6LfScAY41

Targets

    • Target

      host.exe

    • Size

      9.9MB

    • MD5

      3c726a7bd511498158343416a139bd16

    • SHA1

      63853a4e3ab56f39298a866c1841f35c7e3b8294

    • SHA256

      60f59bb04aa894a837e1bb17af891d6c2965a7301ea8d21e026f0b6782f56463

    • SHA512

      7f53fd0df8e2df67287b952845f5875bc873bff0902556bfebdc33ef14a41c731d20ddab2b4e057dded1ca09cf19eb1ccea6a8d2fc1c0eaa7f2e62002e6269b7

    • SSDEEP

      98304:xQI9wzKxmhMIIKfGTibiyCC9cK8FE2ICafZmwjsEejd:xIzKxmhhtbiyCicR2DUjd

    • Skuld stealer

      An info stealer written in Go lang.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks