skuld | 007772a6d9c5b76d61a2408e948b24b0ae10c00435a1d74d935c162a88ca4008

General

Target

pyra.zip
Size

120KB
Sample

250405-n71emayjw4
MD5

7b0fc893480f207b449ac1808364ce50
SHA1

268bba521fadd969b32a63a0987b98e3d2455dd6
SHA256

007772a6d9c5b76d61a2408e948b24b0ae10c00435a1d74d935c162a88ca4008
SHA512

110d1cd312e1bbdd9c17f32af6a1a9ccbd8a2aefe7109cf3251bf976f7ef67c714a1b87f9b36d19bba815af59fa80ce9e5e412b344f2d70ff068f40b47f672a1
SSDEEP

3072:Tyfgl59SahHdExvuyotWlY0oLbKYAkz95kHR3nQ1RawGUYMyoi:TyolyvxvuYYtKanakyh

Score

10^/10

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1357468186764775586/BRP230l-SHvQfTpsLO5GgfFtW8ZwDogt43OWww-lXchxPOAw7f7pT6n98q0MMIyhGHyc

Targets

- Target
  
  pyra/Pyra.exe
- Size
  
  257KB
- MD5
  
  7a5e41ba12a894b44fb1a1624eb3e899
- SHA1
  
  c7e7321eaa462eab2c900003577de57ee4a1bc0a
- SHA256
  
  f5c969927a6ccabd7e29d659b1e0f28730fbe0e3c87063b194f8cc46b0c340df
- SHA512
  
  4b321938b3cc66fb344eb63c3482abc0fa896b52341c5614c93a5ae3efc14fb073fb0084a5fcd02e095976463c39a6a3c3a6027dc7f8297deee2b4ce31aaeb14
- SSDEEP
  
  6144:vTOEaJKAIbUNeolFb08afQ1Y28qUSyjPm:b3bQO4m
Score

10^/10

skuld xmrig defense_evasion discovery execution miner persistence stealer upx
- Skuld family
  skuld
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  pyra/data/data.bat
- Size
  
  2KB
- MD5
  
  cf53469fbe70862f8395e48088f5dc39
- SHA1
  
  2c0061116ec9d52689a27930c22dafcb26a89f71
- SHA256
  
  1dcdbb2c5ca99456ae680c7777226caa09b1cab8be979c69729a1c307d7b6806
- SHA512
  
  c0900865407b40f98f873043978e0bd162fd81e36f163110565683a8bcf0ea16204bdfd26cf1216ce395bc2b002737a84ee8669ddd0cc4e226b778a70e7f8fe2
Score

10^/10

skuld xmrig defense_evasion discovery execution miner persistence stealer upx
- Skuld family
  skuld
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  defense_evasion execution
- Executes dropped EXE
- Modifies file permissions
  discovery
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2