skuld | ed04e4a49975567e121f24d5727ae26bd04c30ab4d9a99897f84b3a87cf9b40e

Analysis

max time kernel
102s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250411-en
resource tags

arch:x64arch:x86image:win11-20250411-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2025, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
Size

10.3MB
MD5

d9aee7cf0002606edf948d6b38c357e7
SHA1

eae81579f6057c1f016a61932c64e90d3813a1e9
SHA256

ed04e4a49975567e121f24d5727ae26bd04c30ab4d9a99897f84b3a87cf9b40e
SHA512

2f2c978e28595dd07e94a32521897f1b144fce12be3e5386e513d8bb7c99e2a82bfeb5d7af40d43cd96b88018b3a1d069cf1a3c3051f367e1165a4f2048d82be
SSDEEP

98304:QVghEwZ0/kg7oWvjfx/OdWcA0rU0UhkE1bl:QuhEU0/Bjfx/OdWHLd1bl

Score

10^/10

skuld persistence stealer

Malware Config

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Executes dropped EXE 1 IoCs

pid	Process
3284	SecurityHealthSystray.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
Token: SeDebugPrivilege	3284	SecurityHealthSystray.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 5492	2868	2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	82
PID 2868 wrote to memory of 5492	2868	2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	82
PID 3092 wrote to memory of 3284	3092	cmd.exe	86
PID 3092 wrote to memory of 3284	3092	cmd.exe	86
PID 3284 wrote to memory of 5560	3284	SecurityHealthSystray.exe	87
PID 3284 wrote to memory of 5560	3284	SecurityHealthSystray.exe	87

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5492	attrib.exe
5560	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\2025-04-17_d9aee7cf0002606edf948d6b38c357e7_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
  2⤵
  - Views/modifies file attributes
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:5560

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
10.3MB

MD5
d9aee7cf0002606edf948d6b38c357e7

SHA1
eae81579f6057c1f016a61932c64e90d3813a1e9

SHA256
ed04e4a49975567e121f24d5727ae26bd04c30ab4d9a99897f84b3a87cf9b40e

SHA512
2f2c978e28595dd07e94a32521897f1b144fce12be3e5386e513d8bb7c99e2a82bfeb5d7af40d43cd96b88018b3a1d069cf1a3c3051f367e1165a4f2048d82be

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads