Overview

overview

10

Static

static

3

2025-04-17...ch.exe

windows10-2004-x64

10

2025-04-17...ch.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    106s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/04/2025, 23:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe

  • Size

    10.3MB

  • MD5

    d9aee7cf0002606edf948d6b38c357e7

  • SHA1

    eae81579f6057c1f016a61932c64e90d3813a1e9

  • SHA256

    ed04e4a49975567e121f24d5727ae26bd04c30ab4d9a99897f84b3a87cf9b40e

  • SHA512

    2f2c978e28595dd07e94a32521897f1b144fce12be3e5386e513d8bb7c99e2a82bfeb5d7af40d43cd96b88018b3a1d069cf1a3c3051f367e1165a4f2048d82be

  • SSDEEP

    98304:QVghEwZ0/kg7oWvjfx/OdWcA0rU0UhkE1bl:QuhEU0/Bjfx/OdWHLd1bl

Score
10/10
skuldpersistencestealer

Malware Config

Signatures

  • Skuld family
    skuld
  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
      2⤵
      • Views/modifies file attributes
      PID:3428
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    1⤵
      PID:3044

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      Filesize

      10.3MB

      MD5

      d9aee7cf0002606edf948d6b38c357e7

      SHA1

      eae81579f6057c1f016a61932c64e90d3813a1e9

      SHA256

      ed04e4a49975567e121f24d5727ae26bd04c30ab4d9a99897f84b3a87cf9b40e

      SHA512

      2f2c978e28595dd07e94a32521897f1b144fce12be3e5386e513d8bb7c99e2a82bfeb5d7af40d43cd96b88018b3a1d069cf1a3c3051f367e1165a4f2048d82be

      Download Submit