Overview

overview

10

Static

static

1

skuld.rar

windows10-2004-x64

10

skuld.rar

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23/02/2025, 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    skuld.rar

  • Size

    3.6MB

  • MD5

    ef0bcceda79befa7842359da1edd2170

  • SHA1

    607368e895419fcfe3ed57958c9e0026217d448b

  • SHA256

    8432cf8fc3189ecef5925f2b4f9294b4b58811a23929e3733486c510d262f56f

  • SHA512

    760b7153450c106e64f01dbf2878d0924bc4b327623af22f13d4c509051c810ea06dab842dcd8a996c04962a180f673fd885152e6e3b4fd300b3255d122afbc1

  • SSDEEP

    49152:vd81dNtjhkCAWM3q71ibKR5K5/b1I5pixTZ4sl4oK0az5U7dvhHkd/bJI9T6sNUt:vC7jm9XUl6lb1FjlBK0y5ImlI9/kmyRT

Score
10/10
skuldpersistencestealer

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1343209123356999732/LP142VV-ML9jKwDDmI34_RZyez4zp6Ksa4deBV_Iz3mxgdXjnr9AtgGxx00eV9yW2tj7

Signatures

  • Skuld family
    skuld
  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\skuld.rar"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1748
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:968
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:996
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\skuld.rar"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4452
    • C:\Users\Admin\Desktop\skuld.exe
      "C:\Users\Admin\Desktop\skuld.exe"
      1⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Windows\system32\attrib.exe
        attrib +h +s C:\Users\Admin\Desktop\skuld.exe
        2⤵
        • Views/modifies file attributes
        PID:1560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\skuld.exe
      Filesize

      9.9MB

      MD5

      58ac8c0298e3268eef8afd03f1e1945c

      SHA1

      59f28807eb1339084fc34854a1dd1b4ea0304204

      SHA256

      93d7761dbbb6e9d3d386f9d86e236659a20fad210a26e933f16c49519f9631bb

      SHA512

      60cd33a2e471e2b7e28d971827a36b355299d0e5ab713cb5aed4d563ed09da57c7f8d279ad011499f58108e4e02d0c933c7840609ccfdf441c2abd90ff949380

      Download Submit