General

  • Target

    groupfundstransfer.zip

  • Size

    8.6MB

  • Sample

    240914-y8b4javbkh

  • MD5

    0ad7307b88487ebc059fae6d6edd12fd

  • SHA1

    52bcde0f1af6e3fa455da56023816e52c4c97d08

  • SHA256

    49c7893ecae3bc64ad6c1e59e5084239b3d7fd232e67b14fbeaadc1864592c64

  • SHA512

    452f0fb96b158ed50d17ec588f16f74ef315f6ff3ece76b9362cfbb2ce560937662537b276a7cab41e101df4ff252524bea5659b8eec33cc60eac6d3419f4c57

  • SSDEEP

    196608:uXSSIDdHnpKanefCLk5a7NNk+sdVT0X/RkUeb03zwiQ0s6DY:dRnpKanhxNTsdVT0Jzu0wiK

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1284539888368226418/IYgFNf1LGi0AIpKOUQjhaxOIw8zxqFH_w1-piF8Fje7yYzzH0toXYa1U2G5EGPGvJqN0

Targets

    • Target

      groupfunds-transfer.exe

    • Size

      14.8MB

    • MD5

      33d8f8dfbeebdfaffc2116a54ab4d554

    • SHA1

      5469f1a57f1ea0fa3447d8562a8830e20279d323

    • SHA256

      2d20cd85d38cbe027f977fd9eedc4473ad26fdede4ff2729a17d4d205a895f87

    • SHA512

      bb1df5a2333372c67553ee4e326a19d783316287f3e13893f83dd2231a88303f09a85349479ae9cf9f7cb4383e18fba8bb5db3a6c31dd81691dd5010c7bb8044

    • SSDEEP

      196608:apOO+VK+RY9CnIpEluzxj55AAkI6kA1LyzHRmgxsSygLw:aGVmqudALthyzsmLL

    • Skuld stealer

      An info stealer written in Go lang.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks