General

  • Target

    20240914372075b23b3eb7022806dcb9e30f1e4bngrbotpoetratsnatch

  • Size

    9.9MB

  • Sample

    240914-k754bswfrm

  • MD5

    372075b23b3eb7022806dcb9e30f1e4b

  • SHA1

    088b8d548fbcc04b100a40786795571e64e37764

  • SHA256

    c9381c9ab6e99434918e5bfb7e41e29e77baf3e771fe9d7524ca83fc04bfd415

  • SHA512

    6d5def1d89e8949eacf47f5a8d3597c721c22a2fc62d450858c639e3e6fc0a695c6a53ddf6a21320ad744f9c6ddb3c5e207c1c6c17c66e60422f9eca65f508f2

  • SSDEEP

    98304:pTvu5YYrBp6oiw+qaMriionl1IKjExICafZmGjsEajY:p8YYrBp2Ariiol1hwQCjY

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1278501698972942449/Fj-HTUy5ZYotGdUrOTSUYy3V_hoBs8EBQcZB4b1zj5Lk3OZfknwnNZOUNt6SdD_-2hSf

Targets

    • Target

      20240914372075b23b3eb7022806dcb9e30f1e4bngrbotpoetratsnatch

    • Size

      9.9MB

    • MD5

      372075b23b3eb7022806dcb9e30f1e4b

    • SHA1

      088b8d548fbcc04b100a40786795571e64e37764

    • SHA256

      c9381c9ab6e99434918e5bfb7e41e29e77baf3e771fe9d7524ca83fc04bfd415

    • SHA512

      6d5def1d89e8949eacf47f5a8d3597c721c22a2fc62d450858c639e3e6fc0a695c6a53ddf6a21320ad744f9c6ddb3c5e207c1c6c17c66e60422f9eca65f508f2

    • SSDEEP

      98304:pTvu5YYrBp6oiw+qaMriionl1IKjExICafZmGjsEajY:p8YYrBp2Ariiol1hwQCjY

    • Skuld stealer

      An info stealer written in Go lang.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks