General

  • Target

    2024-09-12_f57ce552f8e4204727cddbb6a46db8ac_ngrbot_poet-rat_snatch

  • Size

    9.9MB

  • Sample

    240912-prw8psvelb

  • MD5

    f57ce552f8e4204727cddbb6a46db8ac

  • SHA1

    d8c9bbce9c97007a8edf752a518d7eda2abce617

  • SHA256

    c510311474c1b2b9f3d3b3cef630ea87a7910cdf2c0f596de5a3e5873c1f02bf

  • SHA512

    9f3f1829b30aecc576e70933c4962708ece1831e18aa12d1d626fce33f92734af879f31727fbf63ea94f84c57107db937709b70ad25bf4cb42049daa7f530367

  • SSDEEP

    98304:2QI9wzKxmhMIIKfGTibiyCC9cE8yETICafZm7jsEUjd:2IzKxmhhtbiyCicDf+njd

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1279109277432152145/boXW26sW6tNhBlf20PoEyIehV6DhzuNGNfcx-ggmxlwW2zLn6qCz6l1h_7sgCx_5aAuM

Targets

    • Target

      2024-09-12_f57ce552f8e4204727cddbb6a46db8ac_ngrbot_poet-rat_snatch

    • Size

      9.9MB

    • MD5

      f57ce552f8e4204727cddbb6a46db8ac

    • SHA1

      d8c9bbce9c97007a8edf752a518d7eda2abce617

    • SHA256

      c510311474c1b2b9f3d3b3cef630ea87a7910cdf2c0f596de5a3e5873c1f02bf

    • SHA512

      9f3f1829b30aecc576e70933c4962708ece1831e18aa12d1d626fce33f92734af879f31727fbf63ea94f84c57107db937709b70ad25bf4cb42049daa7f530367

    • SSDEEP

      98304:2QI9wzKxmhMIIKfGTibiyCC9cE8yETICafZm7jsEUjd:2IzKxmhhtbiyCicDf+njd

    • Skuld stealer

      An info stealer written in Go lang.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks