Overview

overview

10

Static

static

10

2025-04-18...ch.exe

windows10-2004-x64

10

2025-04-18...ch.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18/04/2025, 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-18_d8aa48e2d8b8bbb5fc9579866accfe00_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe

  • Size

    10.3MB

  • MD5

    d8aa48e2d8b8bbb5fc9579866accfe00

  • SHA1

    fb5492d7fe655199f810be4c50eea29023de8058

  • SHA256

    93643f6f0cea3ea34541a532b1d5acc89bd68a31975a96a7275e2d50c5ba13d8

  • SHA512

    e24985258dbe52126489e5ebd4e5b18bf55b8d58916b40deba8d5eaad1c3fe5183d6a5368cc725e228ddb89a8c01ab106f765886510ec60784b9d45cd12116ea

  • SSDEEP

    98304:CaSL8bZv/NL61NxiEvVbE/8CERB6O5wCA0rRxEmb:Cobl/NUvVbEEfRB6O5wFMSmb

Score
10/10
skuldpersistencestealer

Malware Config

Signatures

  • Skuld family
    skuld
  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-18_d8aa48e2d8b8bbb5fc9579866accfe00_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-18_d8aa48e2d8b8bbb5fc9579866accfe00_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\2025-04-18_d8aa48e2d8b8bbb5fc9579866accfe00_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
      2⤵
      • Views/modifies file attributes
      PID:1912
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:5588

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    Filesize

    6.6MB

    MD5

    d3bd33a607523664394649738d9fc4d1

    SHA1

    86fdefef8c7d39650158a4f3b14eb641bf27ef76

    SHA256

    12edc6660e7aa79cb23045033b9db719633e4f2886daa4aa6b76426dc1d3f887

    SHA512

    e50b16b5ade6657f34110b49b882e57e809cb6106014f59eaa8a81d43fde52849b87980958d1cec1eb451cda76aabd3191542ca0e4b2518816774572f8f4a209

    Download Submit