skuld | ceeaced15d7a6d72bea0aa59bb3caccc5d5e0089b4b980658c5709d3f96b31fb

General

Target

slinky.exe
Size

14.2MB
MD5

7e26817146b9ca70f5a1f271b381fdc8
SHA1

a87a69fa8c6833f818f878f6c5a5ec010b99dae4
SHA256

ceeaced15d7a6d72bea0aa59bb3caccc5d5e0089b4b980658c5709d3f96b31fb
SHA512

fa625fc2b8a68494fdf5b46a7a1b1d2a2188970825ca85deab268a66db920e3677c2dad09e87c73976ad7ee04d3645db1ab06f1048a9260695be47c3b2a361d8
SSDEEP

196608:iWJafoL/tUoTX4Zdbh1Yf0k7Ma/rkFlgdTaUrPPbdfw:iWsfm/Qbh1lkSFCdTauZo

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

C2

https://ptb.discord.com/api/webhooks/1291675112323416086/ekKHKYdeTlB5ft63sBznu78rlTl4WJVeYMB2w6UXjxlTDqVo5r3nhS1SDDIxbzvUjs9p

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

slinky.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	slinky.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
3 api.ipify.org
4 api.ipify.org
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 12 Go-http-client/1.1

flow	ioc
11	ip-api.com
3	api.ipify.org
4	api.ipify.org

description	flow	ioc
HTTP User-Agent header	12	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

slinky.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	slinky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	slinky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	slinky.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

slinky.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	872	slinky.exe
Token: SeIncreaseQuotaPrivilege	3168	wmic.exe
Token: SeSecurityPrivilege	3168	wmic.exe
Token: SeTakeOwnershipPrivilege	3168	wmic.exe
Token: SeLoadDriverPrivilege	3168	wmic.exe
Token: SeSystemProfilePrivilege	3168	wmic.exe
Token: SeSystemtimePrivilege	3168	wmic.exe
Token: SeProfSingleProcessPrivilege	3168	wmic.exe
Token: SeIncBasePriorityPrivilege	3168	wmic.exe
Token: SeCreatePagefilePrivilege	3168	wmic.exe
Token: SeBackupPrivilege	3168	wmic.exe
Token: SeRestorePrivilege	3168	wmic.exe
Token: SeShutdownPrivilege	3168	wmic.exe
Token: SeDebugPrivilege	3168	wmic.exe
Token: SeSystemEnvironmentPrivilege	3168	wmic.exe
Token: SeRemoteShutdownPrivilege	3168	wmic.exe
Token: SeUndockPrivilege	3168	wmic.exe
Token: SeManageVolumePrivilege	3168	wmic.exe
Token: 33	3168	wmic.exe
Token: 34	3168	wmic.exe
Token: 35	3168	wmic.exe
Token: 36	3168	wmic.exe
Token: SeIncreaseQuotaPrivilege	3168	wmic.exe
Token: SeSecurityPrivilege	3168	wmic.exe
Token: SeTakeOwnershipPrivilege	3168	wmic.exe
Token: SeLoadDriverPrivilege	3168	wmic.exe
Token: SeSystemProfilePrivilege	3168	wmic.exe
Token: SeSystemtimePrivilege	3168	wmic.exe
Token: SeProfSingleProcessPrivilege	3168	wmic.exe
Token: SeIncBasePriorityPrivilege	3168	wmic.exe
Token: SeCreatePagefilePrivilege	3168	wmic.exe
Token: SeBackupPrivilege	3168	wmic.exe
Token: SeRestorePrivilege	3168	wmic.exe
Token: SeShutdownPrivilege	3168	wmic.exe
Token: SeDebugPrivilege	3168	wmic.exe
Token: SeSystemEnvironmentPrivilege	3168	wmic.exe
Token: SeRemoteShutdownPrivilege	3168	wmic.exe
Token: SeUndockPrivilege	3168	wmic.exe
Token: SeManageVolumePrivilege	3168	wmic.exe
Token: 33	3168	wmic.exe
Token: 34	3168	wmic.exe
Token: 35	3168	wmic.exe
Token: 36	3168	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

slinky.exe

description	pid	process	target process
PID 872 wrote to memory of 4792	872	slinky.exe	attrib.exe
PID 872 wrote to memory of 4792	872	slinky.exe	attrib.exe
PID 872 wrote to memory of 4712	872	slinky.exe	attrib.exe
PID 872 wrote to memory of 4712	872	slinky.exe	attrib.exe
PID 872 wrote to memory of 3168	872	slinky.exe	wmic.exe
PID 872 wrote to memory of 3168	872	slinky.exe	wmic.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4792 attrib.exe
4712 attrib.exe

pid	process
4792	attrib.exe
4712	attrib.exe

C:\Users\Admin\AppData\Local\Temp\slinky.exe
"C:\Users\Admin\AppData\Local\Temp\slinky.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\slinky.exe
  2⤵
  - Views/modifies file attributes
  PID:4792
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4712
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
14.2MB

MD5
7e26817146b9ca70f5a1f271b381fdc8

SHA1
a87a69fa8c6833f818f878f6c5a5ec010b99dae4

SHA256
ceeaced15d7a6d72bea0aa59bb3caccc5d5e0089b4b980658c5709d3f96b31fb

SHA512
fa625fc2b8a68494fdf5b46a7a1b1d2a2188970825ca85deab268a66db920e3677c2dad09e87c73976ad7ee04d3645db1ab06f1048a9260695be47c3b2a361d8

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads