General

  • Target

    entropy.rar

  • Size

    23.2MB

  • Sample

    241213-ydssssxqbt

  • MD5

    07ce191bdd3e60c1b3e0a6d36167105a

  • SHA1

    134acab97c61acf87aaf12851ccf7de0283aa25c

  • SHA256

    f120e78f5372a5e02e00c9cc6a88b5df7d2d9044ef152caa310474a3f49d0fef

  • SHA512

    47ebfc29521077e7530f352d1cf1002de284c6e6b6c03be309acd59c420639e76eb4b6b1e850982c13758054070cae858cc440a8742e35036031afe6dba3983d

  • SSDEEP

    393216:DUDNlFOL5gxkmyCRqerSz6nJdy2xvx90z2hyvNdKbwQW/+LxvH2rYO3Rec7LIzO2:wDNlYqKmWOS2nrymp90zxNdKbw1/W08b

Malware Config

Extracted

Family

skuld

C2

https://ptb.discord.com/api/webhooks/1305388883403472987/ZM8O2LPQSxTa4igY8m5aAhYHsO4eg1h9kOuq-8gIBF7em3NCqM_H_4VGDC2MFSLuaRMg

Targets

    • Target

      entropy.rar

    • Size

      23.2MB

    • MD5

      07ce191bdd3e60c1b3e0a6d36167105a

    • SHA1

      134acab97c61acf87aaf12851ccf7de0283aa25c

    • SHA256

      f120e78f5372a5e02e00c9cc6a88b5df7d2d9044ef152caa310474a3f49d0fef

    • SHA512

      47ebfc29521077e7530f352d1cf1002de284c6e6b6c03be309acd59c420639e76eb4b6b1e850982c13758054070cae858cc440a8742e35036031afe6dba3983d

    • SSDEEP

      393216:DUDNlFOL5gxkmyCRqerSz6nJdy2xvx90z2hyvNdKbwQW/+LxvH2rYO3Rec7LIzO2:wDNlYqKmWOS2nrymp90zxNdKbw1/W08b

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks