General

  • Target

    Scarlet - Leaked.zip

  • Size

    870.2MB

  • Sample

    241204-x9xaesxmgv

  • MD5

    a3b5feef02115678f978db7554c7f31d

  • SHA1

    ff33112cea6b9b07978ff6cc0110bcabf87a119a

  • SHA256

    4e01f67d085ba2a7adf841ddd17abd8a315589084b08f57aa38f2d94fad2f096

  • SHA512

    2f542536c63d39aa91fcd9a3551c8c35fa353527c3b2b92bbe03f317cc4cd59468f3dab08d07b3accf3d462113ff6978cc2c20a47d921cc131a280ba60b0d9ef

  • SSDEEP

    25165824:sjgRGxSjypuk9ED+LeElqRwAbtbwxW6pbG:sjmGxE2h9i+BlquA5eWH

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1239728722446127235/CpLJBY80lsrvoWdpGjb7u3dhcW1liVDmy8--92GwopK7rc1uao8ShPq737KOZB0mDKuj

https://discord.com/api/webhooks/1239446722099286036/03iTGgnO1RXQSJpzERDxtEJ1DFuminwxIxeZh8ICScbvQq6rVvo6IKfigRDYRYMvbGSj

Targets

    • Target

      Scarlet - Leaked.zip

    • Size

      870.2MB

    • MD5

      a3b5feef02115678f978db7554c7f31d

    • SHA1

      ff33112cea6b9b07978ff6cc0110bcabf87a119a

    • SHA256

      4e01f67d085ba2a7adf841ddd17abd8a315589084b08f57aa38f2d94fad2f096

    • SHA512

      2f542536c63d39aa91fcd9a3551c8c35fa353527c3b2b92bbe03f317cc4cd59468f3dab08d07b3accf3d462113ff6978cc2c20a47d921cc131a280ba60b0d9ef

    • SSDEEP

      25165824:sjgRGxSjypuk9ED+LeElqRwAbtbwxW6pbG:sjmGxE2h9i+BlquA5eWH

    Score
    1/10
    • Target

      Scarlet - Leaked/1 (3).exe

    • Size

      9.5MB

    • MD5

      4b4fd9e69f42cb13de665dc393ca174d

    • SHA1

      6dccc955f9e3ceb435790a93ecd37e9584d07526

    • SHA256

      09d72f61453036336d192add55ec5b538b0d10a8d0901c84a039e2ab18c8bc46

    • SHA512

      7d7c6f2e2f35b35c997a61922b9a4e8d054f79c4a5163f45c07d53ebfc04ad7ebeeb7fa769bdf3712c84654a6994621d2134b890b6b2ec08265802a93e3edb79

    • SSDEEP

      98304:8vksIj0SI3ZpInyzr70vjDy3yMJEEYXOSF8Me53H:8Ls0SI3cckvjDyCMKEYX7e53H

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Target

      Scarlet - Leaked/Leaked by Bm666 (7.5).exe

    • Size

      9.5MB

    • MD5

      24b21ce0ed7f316e6c01fd3d0ee6b5ce

    • SHA1

      d79b1cb928fb1474b17bb0c47f86984bbffcc48e

    • SHA256

      4a755f2a58e81e25763f504e5bea95a94ee6205aa79798aff61ccf60aa98382f

    • SHA512

      4612c3cfe97457104f8e88502ebc1c3b4874a4c8569d52993748da4f9f48e8a07ca11dcc2921992d7e7ba09147255f6981ed4ff7dbf9aee6eb5e58ba81547b8c

    • SSDEEP

      98304:ZYV6CCYzwyyJOmzPx0NEzB5IEPqSF8u83e:k5CYzcgUx0NEV5hPR83e

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Target

      Scarlet - Leaked/Leaked by Bm666 .exe

    • Size

      9.5MB

    • MD5

      24b21ce0ed7f316e6c01fd3d0ee6b5ce

    • SHA1

      d79b1cb928fb1474b17bb0c47f86984bbffcc48e

    • SHA256

      4a755f2a58e81e25763f504e5bea95a94ee6205aa79798aff61ccf60aa98382f

    • SHA512

      4612c3cfe97457104f8e88502ebc1c3b4874a4c8569d52993748da4f9f48e8a07ca11dcc2921992d7e7ba09147255f6981ed4ff7dbf9aee6eb5e58ba81547b8c

    • SSDEEP

      98304:ZYV6CCYzwyyJOmzPx0NEzB5IEPqSF8u83e:k5CYzcgUx0NEV5hPR83e

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Target

      Scarlet - Leaked/Videos (4)/InShot_10190927_154545638.exe

    • Size

      9.5MB

    • MD5

      4b4fd9e69f42cb13de665dc393ca174d

    • SHA1

      6dccc955f9e3ceb435790a93ecd37e9584d07526

    • SHA256

      09d72f61453036336d192add55ec5b538b0d10a8d0901c84a039e2ab18c8bc46

    • SHA512

      7d7c6f2e2f35b35c997a61922b9a4e8d054f79c4a5163f45c07d53ebfc04ad7ebeeb7fa769bdf3712c84654a6994621d2134b890b6b2ec08265802a93e3edb79

    • SSDEEP

      98304:8vksIj0SI3ZpInyzr70vjDy3yMJEEYXOSF8Me53H:8Ls0SI3cckvjDyCMKEYX7e53H

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Target

      Scarlet - Leaked/Videos (4)/Part 3.exe

    • Size

      9.5MB

    • MD5

      24b21ce0ed7f316e6c01fd3d0ee6b5ce

    • SHA1

      d79b1cb928fb1474b17bb0c47f86984bbffcc48e

    • SHA256

      4a755f2a58e81e25763f504e5bea95a94ee6205aa79798aff61ccf60aa98382f

    • SHA512

      4612c3cfe97457104f8e88502ebc1c3b4874a4c8569d52993748da4f9f48e8a07ca11dcc2921992d7e7ba09147255f6981ed4ff7dbf9aee6eb5e58ba81547b8c

    • SSDEEP

      98304:ZYV6CCYzwyyJOmzPx0NEzB5IEPqSF8u83e:k5CYzcgUx0NEV5hPR83e

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks