Overview

overview

7

Static

static

3

SkyLight.exe

windows10-1703-x64

7

SkyLight.exe

windows10-1703-x64

7

SkyLight.exe

windows10-1703-x64

7

SkyLight.exe

windows10-1703-x64

7

d3dcompiler_47.dll

windows10-1703-x64

1

d3dcompiler_47.dll

windows10-1703-x64

1

ffmpeg.dll

windows10-2004-x64

1

ffmpeg.dll

windows10-1703-x64

1

libEGL.dll

windows10-1703-x64

1

libEGL.dll

windows10-1703-x64

1

libGLESv2.dll

windows11-21h2-x64

1

libGLESv2.dll

windows10-1703-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vk_swiftshader.dll

windows10-1703-x64

1

vulkan-1.dll

windows11-21h2-x64

1

vulkan-1.dll

windows10-1703-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    SkyLight.zip

  • Size

    77.4MB

  • Sample

    241009-j5fj8axeqp

  • MD5

    f4377bf6a8c63055633b9df4778a8745

  • SHA1

    242a18468429028d82c1cca18b5cfed3a73353fb

  • SHA256

    33195b08845b0d83e377364a23cde16e43dd2c1b438b744f1d5f077eceee8ed1

  • SHA512

    48154d7f89adc63f2bbffb47a0dfec35734c1044e317c6ed12256592f71910cccf4a357cc1739ed8548a6e38887c7540681a694d8d6acc6acedb5c9078f8d2cd

  • SSDEEP

    1572864:euADh2Ym0Mzm0jn427S5ER4urWJTZipSr0zVgj/i+A25ZAP2:euS4v0MC0jn427j4uiJjPL5ZAP2

Score
7/10
collectiondefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      SkyLight.exe

    • Size

      77.4MB

    • MD5

      e6c0bde294ed3bb032c037b58681b709

    • SHA1

      a39f1ae80a226d5aca0ea783d1188dadc75f4f91

    • SHA256

      63f71f83abd8eba944deef1f862a2902fe7a449e30e41da2ab97bedc12387910

    • SHA512

      5fee1d4eb87e1801f188dca6d536975b1c57664cadac22d1629850f1eefdfcaa52687feec99f08154420a007b095fae7e0cab432f390c97106028655a70521e3

    • SSDEEP

      1572864:M4gPXMoYEcRo9wX9Ag1s3KHo2F29blulO92dvG/BSEqK3BWW7:M4Ac1EcRMwX9Ag1po2I9tXz3BWW7

    Score
    7/10
    collectiondefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1behavioral2

    • Target

      SkyLight.exe

    • Size

      164.7MB

    • MD5

      e3dfe55654f92cd7ca78c2a936f6e374

    • SHA1

      873447d3da0df505c21569e111b456d0a60a7b76

    • SHA256

      03c2b70588602af3d04ba8948a1ad670144647d089fbfaca97fc78db9bc0b5c5

    • SHA512

      dcaf532e9c48cb2a992359eee7448969ae73f00a7b4e6917efd9a55e6fccb29ebd9f3c1bf56ac8d3d854ec4ff1f1f9a22ccbf5350949664f7b95b03f480c52c0

    • SSDEEP

      1572864:kl+CE2MQXWN/rdELTi/YA3kaz3lYMOyAwxLQOnblBeXZm/uGv2G2EkA/dyive45B:4UFwAY2le00pmHgr4

    Score
    7/10
    collectiondefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral3behavioral4

    • Target

      d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      2191e768cc2e19009dad20dc999135a3

    • SHA1

      f49a46ba0e954e657aaed1c9019a53d194272b6a

    • SHA256

      7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

    • SHA512

      5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

    • SSDEEP

      49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l

    Score
    1/10
    behavioral5behavioral6

    • Target

      ffmpeg.dll

    • Size

      2.8MB

    • MD5

      003621dec0f1bb3198c3767f92703d4c

    • SHA1

      846dba74ff39920c3f8a0312f89b2fbc2acb6c55

    • SHA256

      84482be78116676e174d0c5b7e0ec7873b4aa23d31633a81ad70c9b6f4e7a30f

    • SHA512

      14ac4ded9f74669993ad113c02908b2c3160fe6a0e1d0e649ca89f980986650499b142433ab27acf573f40000ce879149f7555ea79ee12c3a464410f74d2dc9d

    • SSDEEP

      49152:zF5qb84KtStWEK/Ju2lf3tAtiLHQVTf6yfcrhCHDXLl8+0LKSQESCu:zFvSkJXv+tiLAD0+DES5

    Score
    1/10
    behavioral7behavioral8

    • Target

      libEGL.dll

    • Size

      477KB

    • MD5

      62c210fb30a6cd478415978a92df4549

    • SHA1

      a6b962105a045df609fe9ca952e0cfe3da842650

    • SHA256

      5771f67ba551ebe2a808d1718d76fd05a96447420d9d44ed32c7809af81d2bee

    • SHA512

      16bbfdbaef1711d883aee6c1e6409b13bcb1d03486863f2017c381703489f8706a89353cfce20778376fec9f0f993e0127aec293efed70687a6c7db2d1ecc33f

    • SSDEEP

      6144:B8hd1BSjuMmof2SEXVVfgV8hxN7h2NbIEOg51f0FticyQ:B8DXSjZmof2SEsmN12NbIE7f0FticyQ

    Score
    1/10
    behavioral10behavioral9

    • Target

      libGLESv2.dll

    • Size

      7.3MB

    • MD5

      fa35c62a428d613036df7b998778aca5

    • SHA1

      09edd0595055e11929c3c2e5a938f88f1f12caf7

    • SHA256

      ab5adaa1fa2c83bcfa87e421b3455d212e43e2f7f19fa51d620653618b29419e

    • SHA512

      5d8974db0fa818980aef19fe6d73fc616ff6e30c4175eaefca4e62c3c418f3c5872965bacdf343943d8f5a0c62f4e0e7185269d476f040ebe7767987dd0c70f8

    • SSDEEP

      98304:znbalIu/BrsXHXnvV9AcDoyGDHnSHQZ3rA:znGG0BMXBDerr

    Score
    1/10
    behavioral11behavioral12

    • Target

      vk_swiftshader.dll

    • Size

      4.9MB

    • MD5

      6d4ed7404de831bfdbf9bed5a0806b9f

    • SHA1

      d40fd8fe8dca45ce09b9101eeecb2be6f9681085

    • SHA256

      ede42b2b9191b18cea5a63939fec682bbbf8c69133485303d26c50ec4f10930d

    • SHA512

      bd7cefd760ee9ea4f0e39dc779c427fcf927b907986e34176583a5101c60714fa653a221d77cd8c5b973cb515008a7335b15fa84df33f7bfc573af7a807370c1

    • SSDEEP

      49152:P6h3a0f1ABi1jP9LoS8lne0Zv8EgHI7JXYN3bgFNmEgMYmz2qA0Mr7wsVUsNCOzN:Sh3aMXoSHfPwksHldLiuNr

    Score
    1/10
    behavioral13behavioral14

    • Target

      vulkan-1.dll

    • Size

      931KB

    • MD5

      bffe91743ec8bbd1b1c64e43f1363726

    • SHA1

      fe863f1bd00b7cc952f359e98967989cf2f66566

    • SHA256

      1d1f2f47c7369c9416705c4bdf5fd9235174bdcc065c9a85c8495101d8b60490

    • SHA512

      881e79791408d60e994bb694ff7d81e1e12fbdbb4d47358067ac980380e07d67701fef72b65b6e0d4dd0ecc32cab2fd17fc5d2f0e9798bc3073c415efc0cd9ae

    • SSDEEP

      24576:bYWOq/4Kt/Ku8n387ecbFb6Z5WoDYsHY6g3P0zAk7sx:bY65/M387R56Z5WoDYsHY6g3P0zAk7s

    Score
    1/10
    behavioral15behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks