skuld | 32b65dced2e32938c9c9d18645551e734be7020f8653216a7feb9bda96c8183d | Triage

Sharing

General

Target

2025-03-23_ac4696c68595e11432cf374558408150_frostygoop_ghostlocker_knight_luca-stealer
Size

2.7MB
Sample

250323-ll6cmswvbs
MD5

ac4696c68595e11432cf374558408150
SHA1

d56227662f3f216af3606203e9c9f3001db324b2
SHA256

32b65dced2e32938c9c9d18645551e734be7020f8653216a7feb9bda96c8183d
SHA512

2a0b937312afe3f7628f0e852c143dfec1e5bb288e59cafd071d647554169c5663f50e5ba0b478ebf63d14e8950f816e225fcb9648a7ce692fa3c5e5df901763
SSDEEP

24576:VSpnhgp7a9sHiaw0VpDxnHTmFqiPPHFf5vdL+G9pEmbzSQo9dM46JYTcj0MOBEtp:VSxmpxiaZVpNHTCN5pN6r4LEEJxfX

Score

10^/10

skuld xworm defense_evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

C2

VisoXC-36626.portmap.host:36626

Attributes

Install_directory
%Userprofile%
install_file
driverhost32.exe

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1352806168874975373/eWuKxj2jFgJzzBMgiQh_MevMVIGSkas35TGNtUfUToss1j_GT61e1A6mWAWeAq8Dp80s

Targets

- Target
  
  2025-03-23_ac4696c68595e11432cf374558408150_frostygoop_ghostlocker_knight_luca-stealer
- Size
  
  2.7MB
- MD5
  
  ac4696c68595e11432cf374558408150
- SHA1
  
  d56227662f3f216af3606203e9c9f3001db324b2
- SHA256
  
  32b65dced2e32938c9c9d18645551e734be7020f8653216a7feb9bda96c8183d
- SHA512
  
  2a0b937312afe3f7628f0e852c143dfec1e5bb288e59cafd071d647554169c5663f50e5ba0b478ebf63d14e8950f816e225fcb9648a7ce692fa3c5e5df901763
- SSDEEP
  
  24576:VSpnhgp7a9sHiaw0VpDxnHTmFqiPPHFf5vdL+G9pEmbzSQo9dM46JYTcj0MOBEtp:VSxmpxiaZVpNHTCN5pN6r4LEEJxfX
Score

10^/10

skuld xworm defense_evasion execution persistence rat stealer trojan
- Detect Xworm Payload
- Skuld family
  skuld
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Deobfuscate/Decode Files or Information
  Payload decoded via CertUtil.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Deobfuscate/Decode Files or Information

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

skuldxwormdefense_evasionexecutionpersistenceratstealertrojan