skuld | 3b3cfcf886394c7de10668f91f41842cf042f5eb3982dfab754c6c062b36968f

Resubmissions

07/04/2025, 22:02

250407-1xxbfawlt4 10

07/04/2025, 21:58

250407-1vskgawtgz 10

Analysis

max time kernel
5s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
07/04/2025, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crusaderh.exe
Size

10.3MB
MD5

3546535c86608256106fbbcd12947541
SHA1

fe89e73f8a6258d4802599cfeb68a5d64211f62b
SHA256

3b3cfcf886394c7de10668f91f41842cf042f5eb3982dfab754c6c062b36968f
SHA512

3386a25743192b625788d5f7ac0eb042c7b740448129e178ae4c3ca78384ea056653cadaed2487bfde7c103d8f18bbb6f80415a1ef160d00a536b046cd34f2d2
SSDEEP

98304:IEmfFRZ6PUsNpPRK1GGnsC+asUL+R/w6sA0rn7AEcb:IvFRsPUXGGnsjjUL+R/wiy5cb

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1358292626033479860/bWGdGqkSCGvNdRIBRnMP6UScL2OEb5UwrQVRSjwGQZv-ahN0TLFNqRlxmegpGo3-6Lyl

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	crusaderh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	crusaderh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6016	cmd.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 5608	2072	crusaderh.exe	79
PID 2072 wrote to memory of 5608	2072	crusaderh.exe	79

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\crusaderh.exe
"C:\Users\Admin\AppData\Local\Temp\crusaderh.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\crusaderh.exe
  2⤵
  - Views/modifies file attributes
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:6016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
8.2MB

MD5
4c2fa27ca8815ff62dbb4a273b809c2c

SHA1
d77dd96274fc49fd270f6f8a801b04888087f7cd

SHA256
ac54d8871feb4fa1f4c719a1f9b83036ae8f6fd7feae01369228b00eeeb9591c

SHA512
988a80ab68f4c4600193216d6df3f244041feb30fe70d922140ccd7692001e45a8f50f43160628953090940887f641317c671c8c511b18dd889bb0f17ff02a88

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads