General

  • Target

    2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch

  • Size

    14.2MB

  • Sample

    241213-st5veasng1

  • MD5

    c31b7327783e94ba4d33daee19d13126

  • SHA1

    fe4c6ef4372800cb9344ea79089a886b9fc483bb

  • SHA256

    1ee7c8f4ec2d4fde0a8dcd33c6ec12e80479ce99e9b3efdb430a1d408487fc41

  • SHA512

    1c79aac263598034b8baca1b2031f8e126930cc869ee34fff692a96cf81a4c43b7b0b6017335b7dfcde33f222709dc6fa3f2198e7af107a185040d8b1b8da9a7

  • SSDEEP

    196608:jWJafoL/tUoTX4Zzbh1Yf0k7Ma/rkFlgdTaUrPPbdfw:jWsfm/2bh1lkSFCdTauZo

Malware Config

Extracted

Family

skuld

C2

https://ptb.discord.com/api/webhooks/1258370606617985124/ZKzGvbPw4E_h8iy2cLQqE7gI1qxDBEoEg86CnrRPkpo0pHUo5LtTcCn_z5-QYIPGq-aI

Targets

    • Target

      2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch

    • Size

      14.2MB

    • MD5

      c31b7327783e94ba4d33daee19d13126

    • SHA1

      fe4c6ef4372800cb9344ea79089a886b9fc483bb

    • SHA256

      1ee7c8f4ec2d4fde0a8dcd33c6ec12e80479ce99e9b3efdb430a1d408487fc41

    • SHA512

      1c79aac263598034b8baca1b2031f8e126930cc869ee34fff692a96cf81a4c43b7b0b6017335b7dfcde33f222709dc6fa3f2198e7af107a185040d8b1b8da9a7

    • SSDEEP

      196608:jWJafoL/tUoTX4Zzbh1Yf0k7Ma/rkFlgdTaUrPPbdfw:jWsfm/2bh1lkSFCdTauZo

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks