skuld | f31b0285f3bccd657e9b591732186a807584901d2ab8924897fa679ed1b39a1b | Triage

Sharing

General

Target

EzFN-Manager.exe
Size

3.8MB
Sample

241128-dgnm2aslhv
MD5

2edfa42f0313ebe2b05d0d3961deaf3b
SHA1

82ba26770f8a59297e668a6ca95b4049c82b67e3
SHA256

f31b0285f3bccd657e9b591732186a807584901d2ab8924897fa679ed1b39a1b
SHA512

4bfe9e9766677aaf6e630ec8e653f9d61a75677e34b15661f3f04889b5c1397d9e06fb2e81bf7cda1e46fd00139528a4412278b6882ffcf78278ab0a69714378
SSDEEP

49152:GQyw/FgZl3Vslwr1ymub72iQkxDonnrxxxqNWN/l4itPBFGsDJjr6uas4:yw/K33VslU8zQkxkrhNzXZDFFZ4

Score

10^/10

skuld xworm discovery execution persistence rat stealer trojan upx

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1309150098055495793/k9e9xgOw-6_C2plzzrJuXKnk0n6rjOfFwyNN15kYdvJC528Av5hMa6QHDC_kqeEBzjsS

Extracted

Family

xworm

Version

5.0

C2

ezfn57.serveo.net:4782

Mutex

s6QNsQsMG6xRRrJT

Attributes

Install_directory
%ProgramData%
install_file
WinRar.exe

aes.plain

Targets

- Target
  
  EzFN-Manager.exe
- Size
  
  3.8MB
- MD5
  
  2edfa42f0313ebe2b05d0d3961deaf3b
- SHA1
  
  82ba26770f8a59297e668a6ca95b4049c82b67e3
- SHA256
  
  f31b0285f3bccd657e9b591732186a807584901d2ab8924897fa679ed1b39a1b
- SHA512
  
  4bfe9e9766677aaf6e630ec8e653f9d61a75677e34b15661f3f04889b5c1397d9e06fb2e81bf7cda1e46fd00139528a4412278b6882ffcf78278ab0a69714378
- SSDEEP
  
  49152:GQyw/FgZl3Vslwr1ymub72iQkxDonnrxxxqNWN/l4itPBFGsDJjr6uas4:yw/K33VslU8zQkxkrhNzXZDFFZ4
Score

10^/10

skuld xworm discovery execution persistence rat stealer trojan upx
- Detect Xworm Payload
- Skuld family
  skuld
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

skuldxwormdiscoveryexecutionpersistenceratstealertrojanupx