skuld | 3b3cfcf886394c7de10668f91f41842cf042f5eb3982dfab754c6c062b36968f

Resubmissions

07/04/2025, 21:56

250407-1tnvwswky9 10

07/04/2025, 21:55

250407-1s4vqawky6 10

Analysis

max time kernel
0s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
07/04/2025, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crusaderh.exe
Size

10.3MB
MD5

3546535c86608256106fbbcd12947541
SHA1

fe89e73f8a6258d4802599cfeb68a5d64211f62b
SHA256

3b3cfcf886394c7de10668f91f41842cf042f5eb3982dfab754c6c062b36968f
SHA512

3386a25743192b625788d5f7ac0eb042c7b740448129e178ae4c3ca78384ea056653cadaed2487bfde7c103d8f18bbb6f80415a1ef160d00a536b046cd34f2d2
SSDEEP

98304:IEmfFRZ6PUsNpPRK1GGnsC+asUL+R/w6sA0rn7AEcb:IvFRsPUXGGnsjjUL+R/wiy5cb

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1358292626033479860/bWGdGqkSCGvNdRIBRnMP6UScL2OEb5UwrQVRSjwGQZv-ahN0TLFNqRlxmegpGo3-6Lyl

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	crusaderh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5268	crusaderh.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5268 wrote to memory of 3344	5268	crusaderh.exe	83
PID 5268 wrote to memory of 3344	5268	crusaderh.exe	83

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3344	attrib.exe

C:\Users\Admin\AppData\Local\Temp\crusaderh.exe
"C:\Users\Admin\AppData\Local\Temp\crusaderh.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5268
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\crusaderh.exe
  2⤵
  - Views/modifies file attributes
  PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
10.3MB

MD5
3546535c86608256106fbbcd12947541

SHA1
fe89e73f8a6258d4802599cfeb68a5d64211f62b

SHA256
3b3cfcf886394c7de10668f91f41842cf042f5eb3982dfab754c6c062b36968f

SHA512
3386a25743192b625788d5f7ac0eb042c7b740448129e178ae4c3ca78384ea056653cadaed2487bfde7c103d8f18bbb6f80415a1ef160d00a536b046cd34f2d2

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads