General

  • Target

    MissWorld.png.exe

  • Size

    10.1MB

  • Sample

    250630-tz9k8a1tdv

  • MD5

    31743965a151ea7f85bb222e1f49b3b3

  • SHA1

    ae5202591fd1c685f7004da798bfca45dcfa508a

  • SHA256

    1be1474e493ffae0a7b65aab0e6e3f4d3bbb7dbb2d3648ced517d94d13ecee30

  • SHA512

    53ee7a648c22eb94655c60ed351a0cbafaf70e1b61c3e296693ddeabd3ee57ddcf3ae731331895cb34d9be0a5985e0e245d9684e71fc01b1a0bee3ee93212b90

  • SSDEEP

    98304:/90JORHh/oI8hgH5qLiDSxdscCt1KsEBBATA9tZekkU7YLD:CaH2I8hgk9xdsck1KFBnLZ0LD

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1387090487722250390/uIdf0nge3vqzIpSSyHk65zodg5HkaoJ7JNhM9x00yOP2qij7CJ79yoYCYQ27pyDXBpaz

Targets

    • Target

      MissWorld.png.exe

    • Size

      10.1MB

    • MD5

      31743965a151ea7f85bb222e1f49b3b3

    • SHA1

      ae5202591fd1c685f7004da798bfca45dcfa508a

    • SHA256

      1be1474e493ffae0a7b65aab0e6e3f4d3bbb7dbb2d3648ced517d94d13ecee30

    • SHA512

      53ee7a648c22eb94655c60ed351a0cbafaf70e1b61c3e296693ddeabd3ee57ddcf3ae731331895cb34d9be0a5985e0e245d9684e71fc01b1a0bee3ee93212b90

    • SSDEEP

      98304:/90JORHh/oI8hgH5qLiDSxdscCt1KsEBBATA9tZekkU7YLD:CaH2I8hgk9xdsck1KFBnLZ0LD

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v16

Tasks