skuld | 8f9b5cb5362dcbc71f288d310a67b65957a18e83c660078f6d32056a6077c7ed

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sigma.exe
Size

23.8MB
MD5

7b3b8c7ad73e483139127a259eedb39b
SHA1

8c8951d762a0cd2cdb6cc7ba3112d069fe95a4ec
SHA256

8f9b5cb5362dcbc71f288d310a67b65957a18e83c660078f6d32056a6077c7ed
SHA512

a4d1f60e6bced99b36f5057748ea1515eeccc7d4b1e64930063748c280c8f392962b079ab321e53cf8a366f1dd48ec79f28149a312e6d577f3cc3119d24c4056
SSDEEP

393216:V52BpDr3fdoc+5my5krGTONk+SBw7MSM5lMVFoga:b2Bp/7+0yBuk/BwJMzmFoga

Score

10^/10

skuld discovery stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1294219914600513648/1hMj8NibsG6kkmCebWQXD2dsOS3COgpf78DC2CqwIi8Ve2EgBTg8fRzgTY1uxq8ArsSQ

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Executes dropped EXE 1 IoCs

Processes:

sg.exe

pid process

2364 sg.exe
Loads dropped DLL 3 IoCs

Processes:

sigma.exe

pid process

2700 sigma.exe
2700 sigma.exe
1108
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

sigma.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sigma.exe

pid	process
2364	sg.exe

pid	process
2700	sigma.exe
2700	sigma.exe
1108

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sigma.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

sigma.exe

description	pid	process	target process
PID 2700 wrote to memory of 2364	2700	sigma.exe	sg.exe
PID 2700 wrote to memory of 2364	2700	sigma.exe	sg.exe
PID 2700 wrote to memory of 2364	2700	sigma.exe	sg.exe
PID 2700 wrote to memory of 2364	2700	sigma.exe	sg.exe

C:\Users\Admin\AppData\Local\Temp\sigma.exe
"C:\Users\Admin\AppData\Local\Temp\sigma.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\sigma_e14a208b-b4a9-4fde-8cf3-9367caae8044\sg.exe
  "C:\Users\Admin\AppData\Local\Temp\sigma_e14a208b-b4a9-4fde-8cf3-9367caae8044\sg.exe"
  2⤵
  - Executes dropped EXE
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sigma_e14a208b-b4a9-4fde-8cf3-9367caae8044\sg.exe

Filesize
14.8MB

MD5
2a90ba072e3b471bcde749b7cd016fa3

SHA1
022469956011ddd8c84ab82f23bb4af9f3c2a5d9

SHA256
e6e38df3a9b32c592012748cd2a01f29faeb0aee3028571cb2abfa8d4f997102

SHA512
5886639582079c80871883aac6aa562215cb7b77de4a7dcc64916b83d39b96c03c4d0bee8e56efd87b39106226749561fc03292fd98e3d875eaa5e5b7b248530

Download Submit
memory/2700-0-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/2700-1-0x0000000000DD0000-0x0000000000E1A000-memory.dmp

Filesize
296KB

Download
memory/2700-2-0x0000000000530000-0x0000000000554000-memory.dmp

Filesize
144KB

Download
memory/2700-3-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2700-129-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download