skuld | 07a8af793ee61c79affa5f6b2c8a0f7ded1857b849156109950ff1c8e52d9b81

General

Target

2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe
Size

14.2MB
MD5

3842c8a8aa332f3c9b423df547a2a3ff
SHA1

569538497d22e685cdbb76bbc311bacc6eebe9e8
SHA256

07a8af793ee61c79affa5f6b2c8a0f7ded1857b849156109950ff1c8e52d9b81
SHA512

98a07c373ba9317a6fb7a027edc29444406e6b527e9f24f6aec2e22034bc0146f752e0a9c5b342697bea8bcd67d4ba2dc1c609738b4e38105898936c740d9fa5
SSDEEP

196608:2WJafoL/tUoTX4ZSbh1Yf0k7Ma/rkFlgdTaUrPPbdfw:2Wsfm/Tbh1lkSFCdTauZo

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

C2

https://ptb.discord.com/api/webhooks/1296775496545210368/Ao67W8PM5vDDLhIfb_sL9ardRGLI-FylA4FFcAI8SRC2lQ0IBazqI6fztmSCt2fHhl1S

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
5 api.ipify.org
9 ip-api.com
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 10 Go-http-client/1.1

flow	ioc
3	api.ipify.org
5	api.ipify.org
9	ip-api.com

description	flow	ioc
HTTP User-Agent header	10	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	3556	2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe
Token: SeIncreaseQuotaPrivilege	2460	wmic.exe
Token: SeSecurityPrivilege	2460	wmic.exe
Token: SeTakeOwnershipPrivilege	2460	wmic.exe
Token: SeLoadDriverPrivilege	2460	wmic.exe
Token: SeSystemProfilePrivilege	2460	wmic.exe
Token: SeSystemtimePrivilege	2460	wmic.exe
Token: SeProfSingleProcessPrivilege	2460	wmic.exe
Token: SeIncBasePriorityPrivilege	2460	wmic.exe
Token: SeCreatePagefilePrivilege	2460	wmic.exe
Token: SeBackupPrivilege	2460	wmic.exe
Token: SeRestorePrivilege	2460	wmic.exe
Token: SeShutdownPrivilege	2460	wmic.exe
Token: SeDebugPrivilege	2460	wmic.exe
Token: SeSystemEnvironmentPrivilege	2460	wmic.exe
Token: SeRemoteShutdownPrivilege	2460	wmic.exe
Token: SeUndockPrivilege	2460	wmic.exe
Token: SeManageVolumePrivilege	2460	wmic.exe
Token: 33	2460	wmic.exe
Token: 34	2460	wmic.exe
Token: 35	2460	wmic.exe
Token: 36	2460	wmic.exe
Token: SeIncreaseQuotaPrivilege	2460	wmic.exe
Token: SeSecurityPrivilege	2460	wmic.exe
Token: SeTakeOwnershipPrivilege	2460	wmic.exe
Token: SeLoadDriverPrivilege	2460	wmic.exe
Token: SeSystemProfilePrivilege	2460	wmic.exe
Token: SeSystemtimePrivilege	2460	wmic.exe
Token: SeProfSingleProcessPrivilege	2460	wmic.exe
Token: SeIncBasePriorityPrivilege	2460	wmic.exe
Token: SeCreatePagefilePrivilege	2460	wmic.exe
Token: SeBackupPrivilege	2460	wmic.exe
Token: SeRestorePrivilege	2460	wmic.exe
Token: SeShutdownPrivilege	2460	wmic.exe
Token: SeDebugPrivilege	2460	wmic.exe
Token: SeSystemEnvironmentPrivilege	2460	wmic.exe
Token: SeRemoteShutdownPrivilege	2460	wmic.exe
Token: SeUndockPrivilege	2460	wmic.exe
Token: SeManageVolumePrivilege	2460	wmic.exe
Token: 33	2460	wmic.exe
Token: 34	2460	wmic.exe
Token: 35	2460	wmic.exe
Token: 36	2460	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe

description	pid	process	target process
PID 3556 wrote to memory of 1304	3556	2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe	attrib.exe
PID 3556 wrote to memory of 1304	3556	2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe	attrib.exe
PID 3556 wrote to memory of 4028	3556	2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe	attrib.exe
PID 3556 wrote to memory of 4028	3556	2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe	attrib.exe
PID 3556 wrote to memory of 2460	3556	2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe	wmic.exe
PID 3556 wrote to memory of 2460	3556	2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe	wmic.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1304 attrib.exe
4028 attrib.exe

pid	process
1304	attrib.exe
4028	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-10-19_3842c8a8aa332f3c9b423df547a2a3ff_ngrbot_poet-rat_snatch.exe
  2⤵
  - Views/modifies file attributes
  PID:1304
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4028
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
14.2MB

MD5
3842c8a8aa332f3c9b423df547a2a3ff

SHA1
569538497d22e685cdbb76bbc311bacc6eebe9e8

SHA256
07a8af793ee61c79affa5f6b2c8a0f7ded1857b849156109950ff1c8e52d9b81

SHA512
98a07c373ba9317a6fb7a027edc29444406e6b527e9f24f6aec2e22034bc0146f752e0a9c5b342697bea8bcd67d4ba2dc1c609738b4e38105898936c740d9fa5

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads