skuld | 28d351252216d3ac879ed61553fabb73ba58890ad1a603ecf23083e07dc00612

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2025 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

slinky.exe
Size

14.8MB
MD5

58bc5cc47fa258cd1be97ee171a551d6
SHA1

d359a53319cd2d6da314b1d3d3626c9d2f455f8d
SHA256

28d351252216d3ac879ed61553fabb73ba58890ad1a603ecf23083e07dc00612
SHA512

2e7de308bce8865dcca1ca25c78d0be9128ad4efe0f48a7e4216c04822b07325964bfb2a0958952f10e155e510a450bbab113cf2e92a7a0017bf05335676ab55
SSDEEP

196608:DqZ4f/oCqKqc/3h4Po9NXx+29GAB7ob73mrVGwYdNE2vfUW:OZ4XoBKHN9AuM73gQDvfUW

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

https://ptb.discord.com/api/webhooks/1342388168812527616/-lRZ8Lzq0-yW-y8xBH1Y_PX4RtQflysH7EEHAsl_JbK32v8hRM3xrYRbVdzoiRn3xwmE

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	slinky.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
2	api.ipify.org
7	ip-api.com

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	9	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	slinky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	slinky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	slinky.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	slinky.exe
Token: SeIncreaseQuotaPrivilege	2868	wmic.exe
Token: SeSecurityPrivilege	2868	wmic.exe
Token: SeTakeOwnershipPrivilege	2868	wmic.exe
Token: SeLoadDriverPrivilege	2868	wmic.exe
Token: SeSystemProfilePrivilege	2868	wmic.exe
Token: SeSystemtimePrivilege	2868	wmic.exe
Token: SeProfSingleProcessPrivilege	2868	wmic.exe
Token: SeIncBasePriorityPrivilege	2868	wmic.exe
Token: SeCreatePagefilePrivilege	2868	wmic.exe
Token: SeBackupPrivilege	2868	wmic.exe
Token: SeRestorePrivilege	2868	wmic.exe
Token: SeShutdownPrivilege	2868	wmic.exe
Token: SeDebugPrivilege	2868	wmic.exe
Token: SeSystemEnvironmentPrivilege	2868	wmic.exe
Token: SeRemoteShutdownPrivilege	2868	wmic.exe
Token: SeUndockPrivilege	2868	wmic.exe
Token: SeManageVolumePrivilege	2868	wmic.exe
Token: 33	2868	wmic.exe
Token: 34	2868	wmic.exe
Token: 35	2868	wmic.exe
Token: 36	2868	wmic.exe
Token: SeIncreaseQuotaPrivilege	2868	wmic.exe
Token: SeSecurityPrivilege	2868	wmic.exe
Token: SeTakeOwnershipPrivilege	2868	wmic.exe
Token: SeLoadDriverPrivilege	2868	wmic.exe
Token: SeSystemProfilePrivilege	2868	wmic.exe
Token: SeSystemtimePrivilege	2868	wmic.exe
Token: SeProfSingleProcessPrivilege	2868	wmic.exe
Token: SeIncBasePriorityPrivilege	2868	wmic.exe
Token: SeCreatePagefilePrivilege	2868	wmic.exe
Token: SeBackupPrivilege	2868	wmic.exe
Token: SeRestorePrivilege	2868	wmic.exe
Token: SeShutdownPrivilege	2868	wmic.exe
Token: SeDebugPrivilege	2868	wmic.exe
Token: SeSystemEnvironmentPrivilege	2868	wmic.exe
Token: SeRemoteShutdownPrivilege	2868	wmic.exe
Token: SeUndockPrivilege	2868	wmic.exe
Token: SeManageVolumePrivilege	2868	wmic.exe
Token: 33	2868	wmic.exe
Token: 34	2868	wmic.exe
Token: 35	2868	wmic.exe
Token: 36	2868	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4988	4528	slinky.exe	85
PID 4528 wrote to memory of 4988	4528	slinky.exe	85
PID 4528 wrote to memory of 3716	4528	slinky.exe	86
PID 4528 wrote to memory of 3716	4528	slinky.exe	86
PID 4528 wrote to memory of 2868	4528	slinky.exe	89
PID 4528 wrote to memory of 2868	4528	slinky.exe	89

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3716	attrib.exe
4988	attrib.exe

C:\Users\Admin\AppData\Local\Temp\slinky.exe
"C:\Users\Admin\AppData\Local\Temp\slinky.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\slinky.exe
  2⤵
  - Views/modifies file attributes
  PID:4988
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:3716
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
14.8MB

MD5
58bc5cc47fa258cd1be97ee171a551d6

SHA1
d359a53319cd2d6da314b1d3d3626c9d2f455f8d

SHA256
28d351252216d3ac879ed61553fabb73ba58890ad1a603ecf23083e07dc00612

SHA512
2e7de308bce8865dcca1ca25c78d0be9128ad4efe0f48a7e4216c04822b07325964bfb2a0958952f10e155e510a450bbab113cf2e92a7a0017bf05335676ab55

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads