General
-
Target
slinky.rar
-
Size
26.7MB
-
Sample
241226-vsm93ssjbz
-
MD5
cc87cf7fe022949064c61decdb8fcd25
-
SHA1
fde0a4ea608d00230450c9f5704803c25d98f5f1
-
SHA256
4fe9951b93bfa62a0ce8358a3710bfe4a0695b6d86337c0cccb7aa5739d55e9f
-
SHA512
1b8264011b4b815b4d703ef0cc7b4dc51328bf2a5efe60012888431eb36358c1f4996971a0e56fad0081ed1e6dda7975d56b049a9e705b158bbb1a1cb0607eac
-
SSDEEP
393216:PVpYSceIQWPv7PKwveKqNHOcdSkHR63ScI7wLGPZ2rLT4IujYwt2hIVkg:t9cesTYKq3dS4Ag7wqPZIRuv2hqt
Behavioral task
behavioral1
Sample
slinky/slinky.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
slinky/slinky_library.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
slinky/slinkyhook.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
skuld
https://ptb.discord.com/api/webhooks/1319318023546605670/8ICysG66W95LxC31v7Jh-RVSBgvIpQY7Xb_8zqo6013-KvzBx9wq-Tjf62q_WPmoxEeQ
Targets
-
-
Target
slinky/slinky.exe
-
Size
14.8MB
-
MD5
9f108bdcaff2dd4d77962a4040d6fe21
-
SHA1
bb79dba13c73d65634a292c2b0d07dc43c3ddcf8
-
SHA256
dc58654266755dbe5a99388ed2455a9be7b4ab683c2926f476fca04fd4543870
-
SHA512
dc62a14e541133f6ea261aea197d2c88c817745eb7aaea6310594ec38dc774396e63357cdce31a90c45aa282f2a7e59f4a8391cb0961ad1e4c56f254c900b64e
-
SSDEEP
196608:IqZ4f/oCqKqc/3h4Po9pXx+29GAB7ob73mrVGwYdNE2vfUW:DZ4XoBKHp9AuM73gQDvfUW
-
Skuld family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
-
-
Target
slinky/slinky_library.dll
-
Size
11.7MB
-
MD5
f4f7eacab208d7b50d50f196bd3facd2
-
SHA1
82ca056ecb89d1612df069a42952e077f7e079e1
-
SHA256
4f35cfe4d051d56cc22dc2743024ffa0f3b4ee906b34c4336c72d71bc55de708
-
SHA512
9b61bd125e066df121186057bcb163bfb3d8fb9ff3447963df0e9b14ab57fdf6a8d1faf61a5e75dc3e53425f541bb624b9d8b787e322ea6b675489d532b8f001
-
SSDEEP
3:WAYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYw:z
Score1/10 -
-
-
Target
slinky/slinkyhook.dll
-
Size
228KB
-
MD5
6d8c17c67970cb5841811eed8adffffc
-
SHA1
c869ab32318a035e51aff8e5e11b4cd25fb52a4f
-
SHA256
7c4234fac3b6b3e96dace1e71c7a952ec67e3839f90f7a88a9ea283bf88d25b8
-
SHA512
7d2a0ffcd72c8bf4a96b2ed722d7119749ec14f5d7e6a601cb6ae4a5b1c4a652b694158f01da340e3ca4751cabd0a56c42bf739d8b421e36937f3691b3b80c72
-
SSDEEP
3072:hXxN1I6PgabbAzVxPLI5oIa5amK/1o4ptgELHY1lNyc+m+e7P26g66OVuknsDe0u:hhN1GFZq/15tFc+m97ieuknsDu
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4