General

  • Target

    slinky.rar

  • Size

    26.7MB

  • Sample

    241226-vsm93ssjbz

  • MD5

    cc87cf7fe022949064c61decdb8fcd25

  • SHA1

    fde0a4ea608d00230450c9f5704803c25d98f5f1

  • SHA256

    4fe9951b93bfa62a0ce8358a3710bfe4a0695b6d86337c0cccb7aa5739d55e9f

  • SHA512

    1b8264011b4b815b4d703ef0cc7b4dc51328bf2a5efe60012888431eb36358c1f4996971a0e56fad0081ed1e6dda7975d56b049a9e705b158bbb1a1cb0607eac

  • SSDEEP

    393216:PVpYSceIQWPv7PKwveKqNHOcdSkHR63ScI7wLGPZ2rLT4IujYwt2hIVkg:t9cesTYKq3dS4Ag7wqPZIRuv2hqt

Malware Config

Extracted

Family

skuld

C2

https://ptb.discord.com/api/webhooks/1319318023546605670/8ICysG66W95LxC31v7Jh-RVSBgvIpQY7Xb_8zqo6013-KvzBx9wq-Tjf62q_WPmoxEeQ

Targets

    • Target

      slinky/slinky.exe

    • Size

      14.8MB

    • MD5

      9f108bdcaff2dd4d77962a4040d6fe21

    • SHA1

      bb79dba13c73d65634a292c2b0d07dc43c3ddcf8

    • SHA256

      dc58654266755dbe5a99388ed2455a9be7b4ab683c2926f476fca04fd4543870

    • SHA512

      dc62a14e541133f6ea261aea197d2c88c817745eb7aaea6310594ec38dc774396e63357cdce31a90c45aa282f2a7e59f4a8391cb0961ad1e4c56f254c900b64e

    • SSDEEP

      196608:IqZ4f/oCqKqc/3h4Po9pXx+29GAB7ob73mrVGwYdNE2vfUW:DZ4XoBKHp9AuM73gQDvfUW

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Target

      slinky/slinky_library.dll

    • Size

      11.7MB

    • MD5

      f4f7eacab208d7b50d50f196bd3facd2

    • SHA1

      82ca056ecb89d1612df069a42952e077f7e079e1

    • SHA256

      4f35cfe4d051d56cc22dc2743024ffa0f3b4ee906b34c4336c72d71bc55de708

    • SHA512

      9b61bd125e066df121186057bcb163bfb3d8fb9ff3447963df0e9b14ab57fdf6a8d1faf61a5e75dc3e53425f541bb624b9d8b787e322ea6b675489d532b8f001

    • SSDEEP

      3:WAYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYJYw:z

    Score
    1/10
    • Target

      slinky/slinkyhook.dll

    • Size

      228KB

    • MD5

      6d8c17c67970cb5841811eed8adffffc

    • SHA1

      c869ab32318a035e51aff8e5e11b4cd25fb52a4f

    • SHA256

      7c4234fac3b6b3e96dace1e71c7a952ec67e3839f90f7a88a9ea283bf88d25b8

    • SHA512

      7d2a0ffcd72c8bf4a96b2ed722d7119749ec14f5d7e6a601cb6ae4a5b1c4a652b694158f01da340e3ca4751cabd0a56c42bf739d8b421e36937f3691b3b80c72

    • SSDEEP

      3072:hXxN1I6PgabbAzVxPLI5oIa5amK/1o4ptgELHY1lNyc+m+e7P26g66OVuknsDe0u:hhN1GFZq/15tFc+m97ieuknsDu

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks