Windows Analysis Report
skuld3.exe

Overview

General Information

Sample name: skuld3.exe
Analysis ID: 1545290
MD5: 96cf5bfd737ba042e552c66fbd2d344e
SHA1: 861e144cce53b756a81079923011ad87d6e3ce13
SHA256: a4a66b5826dbc95ed463bf1daaa417ae99ea8b1b27ddbacdceba94657babbafc
Tags: exeuser-NDA0E
Infos:

Detection

Skuld Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
UAC bypass detected (Fodhelper)
Yara detected Skuld Stealer
AI detected suspicious sample
Check if machine is in data center or colocation facility
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses cmd line tools excessively to alter registry or file data
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: skuld3.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Avira: detection malicious, Label: TR/AD.GenSteal.dwlre
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: skuld3.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 89.4% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: skuld3.exe Joe Sandbox ML: detected

Privilege Escalation
barindex
UAC bypass detected (Fodhelper)
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Registry value created: NULL C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Registry value created: DelegateExecute Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Registry value created: NULL C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Registry value created: DelegateExecute Jump to behavior
Source: skuld3.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://ip-api.com/json
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://api.gofile.io/getServerhttps://%s.gofile.io/uploadFilesql:
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://api.ipify.org/-DisableIOAVProtection-DisableScriptScanning%s
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://avatars.githubusercontent.com/u/145487845?v=4sqlite:
Source: SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://discordapp.com/api/webhooks/1293231846204903474/NlFoQQli1eEBiZ1mTgA4lGWcgDGUPQu-TH2KjA0djnkL
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/wallet
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgJSON
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js1157920892103562487626
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@32/1@2/2
Source: C:\Users\user\Desktop\skuld3.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\3575651c-bb47-448e-a514-22865732bbc
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2304:120:WilError_03
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: skuld3.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\skuld3.exe File read: C:\Users\user\Desktop\skuld3.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\skuld3.exe "C:\Users\user\Desktop\skuld3.exe"
Source: C:\Users\user\Desktop\skuld3.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\skuld3.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\skuld3.exe
Source: C:\Users\user\Desktop\skuld3.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
Source: C:\Users\user\Desktop\skuld3.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C fodhelper
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\skuld3.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\skuld3.exe Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\fodhelper.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations Jump to behavior
Source: skuld3.exe Static file information: File size 3319808 > 1048576
Source: skuld3.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x32a400
Source: skuld3.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: skuld3.exe Static PE information: section name: UPX2
Source: SecurityHealthSystray.exe.0.dr Static PE information: section name: UPX2
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Users\user\Desktop\skuld3.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Uses cmd line tools excessively to alter registry or file data
Source: C:\Users\user\Desktop\skuld3.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\skuld3.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\skuld3.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Process created: attrib.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\skuld3.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Jump to dropped file
Creates or modifies windows services
Source: C:\Users\user\Desktop\skuld3.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal Service Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal Service Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\Desktop\skuld3.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Handshakemath/randClassINETAuthorityquestionsinfo_hashuser32.dllvmwaretrayxenservicevmwareusermegadumperscyllahidevirtualboxPxmdUOpVyxQ9IATRKPRHPaul userd1bnJkfVlHQarZhrdBpjPC-DANIELEqarzhrdbpjq9iatrkprhd1bnjkfvlhJUDES-DOJOGJAm1NxXVmdOuyo8RV7105KvAUQKPQOf20XqH4VLpxmduopvyxJcOtj17dZxcM0uEGN4do64F2tKIqO5GexwjQdjXGfNBDSlDTXYmcafee.comnorton.comzillya.comsophos.comclamav.netpowershellsystemrootlogins.txtLogin DataChrome SxS360BrowserUR BrowserdiscordptbinitiationByHackirbysecure.datauto_startsteam-tempEpic Games.minecraftRiot GamesShowWindow-NoProfileExtensionsExodusWeb3PaliWalletwinsymlink/dev/stdinCreateFileterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dllws2_32.dllexecerrdotSYSTEMROOTavatar_url
Source: SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: tznamerdtscppopcntempty rune1 RGBA64Gray16X25519%w%.0wAcceptServercmd/goheaderAnswerLengthSTREETavx512rdrandrdseedwebhookcryptosregeditollydbgdf5servvmusrvctaskmgrqemu-gafakenetfiddlerdumpcapsharpodsnifferpetoolsharmonycharlesphantomx32_dbgx64_dbgwpe pro3u2v9m8SERVER1MIKE-PCNETTYPClisa-pcHEUeRzljohn-pcZELJAVALISA-PCWILEYPCJOHN-PCserver1wileypcAIDANPC7DBgdxuJAW4Dz0cMkNdS6Mr.Nonej7pNjWMequZE3Jo6jdigqKUv3bT4ymONofgheuerzlIVwoKUFavg.comDefaultFirefoxMercuryAddressNetworkCookiesHistorykey4.dbThoriumIridiumVivaldiOrbitumMaxthonK-MelonSputnikSlimjetOperaGXaccountaddressDesktopcontentAppDatadiscordmodulesRoamingversionWindowsFeatherBadlionleveldbAPPDATACaption%.2f GBprofileDiscord`Nitro`.sqlitecmd.exeWallets\ArmoryCoinomiBinanceMartianPhantomSafepalSolfareiWalletLICENSEProtectfloat32float64readdirconsoleabortedCopySidWSARecvWSASendconnectsignal runningPATHEXT_pragmapragma _txlocknumber nil keyUpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECT19531259765625FreeSidSleepExinvaliduintptrSwapperChanDir Value>Convert\\.\UNCforcegcallocmWcpuprofallocmRunknowngctraceIO waitsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
Source: SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: OpenEventAUnlockFileunrechableno consoleenter-fastRIPEMD-160impossible[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]rune <nil>image: NewBM????res binderres masterresumptionexp masterContent-IdMessage-IdHTTP_PROXYhttp_proxyhttp2debugcrypto/tlsParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1base_noncePOSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf16EnumWindowsOpenProcessvboxservicecodecrackerBAROSINO-PCCOFFEE-SHOParchibaldpcARCHIBALDPCLANTECH-LLCALENMOOS-PC9yjCPsEYIMHnoK4zG7ZhOfOgJb6GqgK0OnZAp7UBVaS1xPLyvzr8sgCBvJChRPnsxnykj0egq7fzeuHUQIuwoEFUkFu0lQwgX5PryjIJKIrOMs4tgiizsLimS95.25.81.2435.199.6.1334.105.0.2780.211.0.9778.139.8.50totalav.comadaware.comThunderbirdTarget Pathcookies.txt%-70s %-70shistory.txtdescriptionCrypt32.dllLocal StateCentBrowserFiles Foundmot_de_passFatal ErrorMessageBoxW`
Source: fodhelper.exe, 0000000C.00000002.1764085757.000001D581E69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type TuesdayJanuaryOctoberMUI_StdMUI_DltAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutapdh.dllwindowswsarecvwsasendlookup writetoavx512fSHA-224SHA-256SHA-384SHA-512InstAltInstNopalt -> nop -> any -> NRGBA64tls3desderivedInitialExpiresSubjectcharsetos/execruntimeanswers]?)(.*)Ed25519MD5-RSAserial:eae_prk2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsavevmtoolsdvboxtraypestudiovmacthlpksdumperdebuggerstrongodgraywolf0harmonyreversalUSERNAMEEIEEIFYEGBQHURCCORXGKKZCoreleepcJBYQTQBOMARCI-PClmVwjj9bGRXNNIIELUCAS-PCjulia-pcXGNSVODUESPNHOOLORELEEPCVONRAHELTMKNGOMUJULIA-PC05h00Gi05ISYH9SHICQja5iTQZSBJVWMUspG1y1CecVtZ5wEBUiA1hkmOZFUCOD6o8yTi52Th7dk1xPrQORxJKNkgL50ksOpSqgFOf3Gj.seancedxd8DJ7clmvwjj9beset.com-CommandDisabled0.0.0.0 Web DataWaterfoxK-MeleonCyberfoxBlackHawUsernamePasswordBrowsers```%s```ChromiumElementsCatalinaQIP SurfpasswordbancairemetamaskdatabasePicturesOneDriveindex.jsSettingssettings.featherNovolinealts.txtPaladiumgames-%s
Source: SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: res binderres masterresumptionexp masterContent-IdMessage-IdHTTP_PROXYhttp_proxyhttp2debugcrypto/tlsParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1base_noncePOSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf16EnumWindowsOpenProcessvboxservicecodecrackerBAROSINO-PCCOFFEE-SHOParchibaldpcARCHIBALDPCLANTECH-LLCALENMOOS-PC9yjCPsEYIMHnoK4zG7ZhOfOgJb6GqgK0OnZAp7UBVaS1xPLyvzr8sgCBvJChRPnsxnykj0egq7fzeuHUQIuwoEFUkFu0lQwgX5PryjIJKIrOMs4tgiizsLimS95.25.81.2435.199.6.1334.105.0.2780.211.0.9778.139.8.50totalav.comadaware.comThunderbirdTarget Pathcookies.txt%-70s %-70shistory.txtdescriptionCrypt32.dllLocal StateCentBrowserFiles Foundmot_de_passFatal ErrorMessageBoxW`
Source: SecurityHealthSystray.exe, 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilcpu%dfilesimap2imap3imapspop3shostsrouteparsesse41sse42ssse3SHA-1matchrune NRGBAtls: Earlyutf-8%s*%dtext/bad n (at ClassP-224P-256P-384P-521ECDSAx32dbgvmsrvcprl_ccx96dbgdbgclrde4dotwindbgpc-retx64dbgghidraVMwarevmwarexc64zb8VizSM373836ALIONETVM-PCgeorgeGRAFPCT00917test42XC64ZB5Y3y73serverh86LHDDdQrgcQfofoGlK3zMRPgfV1XIZZuXj8vizsmASPNETS7WjufUser01tHiF2TGjBsjbLouiseGGw8NR3W1GJT-ForceattribNumberembedssqliteChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsecretpaypalbanquewalletcryptoexodusatomiccomptecreditpermisnumberbackupconfigVideosinlinefieldsConfigIntentMeteorImpactPolyMCBypassSystem
Source: skuld3.exe, 00000000.00000002.1698605903.00000229D3BBC000.00000004.00000020.00020000.00000000.sdmp, SecurityHealthSystray.exe, 00000005.00000002.1774461999.000002CB3F34C000.00000004.00000020.00020000.00000000.sdmp, SecurityHealthSystray.exe, 0000000D.00000002.1775758684.000001F43DD1D000.00000004.00000020.00020000.00000000.sdmp, SecurityHealthSystray.exe, 00000010.00000002.1861621099.000001986B2AD000.00000004.00000020.00020000.00000000.sdmp, SecurityHealthSystray.exe, 00000017.00000002.1862181006.0000021F341CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\skuld3.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\skuld3.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\skuld3.exe Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe fodhelper Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" Jump to behavior
Source: C:\Windows\System32\fodhelper.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" Jump to behavior
Source: C:\Users\user\Desktop\skuld3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Skuld Stealer
Source: Yara match File source: 13.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.skuld3.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: skuld3.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 3272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 2108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 4304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 6864, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: %s profiles/invitesBytecoinEthereumElectrum%s\%s\%sCoinbaseCrocobitMetamaskStarcoinProgramsapp.asarGoStringFullPathno anodeCancelIoReadFileAcceptExWSAIoctlshutdownfile[%d]usernameicon_url%s:%d:%sbad instkernel32hijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflict48828125infinitystrconv.parsing ParseIntcompressEqualSidSetEventIsWindowrecvfromnil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not pointer packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqinetedns0[::1]:53continue_gatewayinvalid address readfromunixgram
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: - `` - Jaxx%s%sCoreEverMathNamiTrontruefilereadopensyncpipelinkStatquitbindidle.com.exe.bat.cmdUUIDPOSTtext asn1nullbooljson'\''Host&lt;&gt;http1080DATAPINGEtag0x%xdateetagfromhostvaryDategzip%x
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubtrace: out of memorywirep: already in gotime: invalid numberJordan Standard TimeArabic Standard TimeIsrael Standard TimeTaipei Standard TimeAzores Standard TimeTurkey Standard TimeEgyptian_HieroglyphsMeroitic_Hieroglyphsinvalid DNS responsegetadaptersaddressesunexpected network: form-data; name="%s"EnterCriticalSectionGetFileAttributesExALeaveCriticalSectionSystemTimeToFileTimeGetSidLengthRequiredenter-recursive-loopnumber has no digitsexpression too largeinvalid repeat count[invalid char class]Bad chunk length: %dbad palette length: invalid image size: unknown PSK identitycertificate requiredgzip: invalid headerheader line too longx509usefallbackrootsmissing IPv6 addressunexpected characterflate: closed writerzlib: invalid headergetCert can't be nilinvalid UTF-8 stringx509: malformed spkiunsupported suite IDinvalid integer typesha3: Sum after ReadSafeArrayDestroyDataSafeArrayGetElemsizemodulus must be >= 0systemexplorerserviceSystemParametersInfoWwin32_VideoController-SubmitSamplesConsentcore.asar not in bodyDiscordTokenProtectordiscordtokenprotectorProtectionPayload.dllintegrity_checkmoduleUbisoft Game LauncherTous les utilisateurs\Exodus\exodus.walletreflect.Value.Complextrace/breakpoint trapuser defined signal 1user defined signal 2link has been severedpackage not installedblock device requiredstate not recoverableread-only file systemstale NFS file handleReadDirectoryChangesWNetGetJoinInformationLookupPrivilegeValueWAdjustTokenPrivilegesexec: already startedunsupported operationinternal error: rc %dsequence tag mismatchafter top-level valuein string escape codekey is not comparableclipboard unavailablenot dib format data: bufio: negative counthttp: nil Request.URLUNKNOWN_FRAME_TYPE_%dframe_ping_has_streamRoundTrip failure: %vUnhandled Setting: %vnet/http: nil Contextunknown address type command not supportedPrecondition RequiredInternal Server ErrorWindows Code Page 858186264514923095703125931322574615478515625GetVolumeInformationWEnableCounterForIoctlCM_Get_DevNode_StatusChangeServiceConfig2WDeregisterEventSourceEnumServicesStatusExWGetNamedSecurityInfoWSetNamedSecurityInfoWDwmGetWindowAttributeDwmSetWindowAttributeNtCreateNamedPipeFileSetupDiEnumDeviceInfoSetupUninstallOEMInfWWSALookupServiceNextWWTSEnumerateSessionsWbad type in compare: of unexported methodunexpected value stepreflect.Value.SetZeroreflect.Value.Pointerreflect.Value.SetUintNetUserGetLocalGroupsGetProfilesDirectoryWnegative shift amountsystem goroutine waitconcurrent map writes/gc/heap/allocs:bytesruntime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: inv
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Ethereum\keystore%s\extensions-tempreflect.Value.UintGetExitCodeProcesssegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks availablestreams pipe errorLookupAccountNameWCreateFileMappingWGetFileAttributesWSetFileAttributesWCommandLineToArgvWunknown _txlock %qnon-minimal lengthtruncated sequencesequence truncatedcannot be negativeexceeded max depthinvalid character in numeric literalcontext.Backgroundunsupported formatbufio: buffer fullhttp: blank cookiereceived from peerFLOW_CONTROL_ERRORframe_goaway_shortproxy-authenticateUNKNOWN_SETTING_%dGo-http-client/2.0Go-http-client/1.1Temporary RedirectPermanent RedirectMethod Not AllowedExpectation Failedbad Content-Lengthfield value for %qIBM Code Page 1047IBM Code Page 1140Macintosh Cyrillicvalue out of range298023223876953125GetPerformanceInfoCM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDQueryServiceStatusCertGetNameStringWPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetComputerNameExWGetCurrentThreadIdGetModuleFileNameWGetModuleHandleExWGetVolumePathNameWRemoveDllDirectoryTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWreflect.Value.Elemreflect.Value.Typereflect: Zero(nil)adaptivestackstartdontfreezetheworldtraceadvanceperiodtracebackancestorsgarbage collectionsync.RWMutex.RLockGC worker (active)stopping the worldwait until GC endsbad lfnode addresssystem page size (elem align too big but memory size /gc/pauses:seconds because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preempt
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilcpu%dfilesimap2imap3imapspop3shostsrouteparsesse41sse42ssse3SHA-1matchrune NRGBAtls: Earlyutf-8%s*%dtext/bad n (at ClassP-224P-256P-384P-521ECDSAx32dbgvmsrvcprl_ccx96dbgdbgclrde4dotwindbgpc-retx64dbgghidraVMwarevmwarexc64zb8VizSM373836ALIONETVM-PCgeorgeGRAFPCT00917test42XC64ZB5Y3y73serverh86LHDDdQrgcQfofoGlK3zMRPgfV1XIZZuXj8vizsmASPNETS7WjufUser01tHiF2TGjBsjbLouiseGGw8NR3W1GJT-ForceattribNumberembedssqliteChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsecretpaypalbanquewalletcryptoexodusatomiccomptecreditpermisnumberbackupconfigVideosinlinefieldsConfigIntentMeteorImpactPolyMCBypassSystem
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: %s profiles/invitesBytecoinEthereumElectrum%s\%s\%sCoinbaseCrocobitMetamaskStarcoinProgramsapp.asarGoStringFullPathno anodeCancelIoReadFileAcceptExWSAIoctlshutdownfile[%d]usernameicon_url%s:%d:%sbad instkernel32hijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflict48828125infinitystrconv.parsing ParseIntcompressEqualSidSetEventIsWindowrecvfromnil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not pointer packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqinetedns0[::1]:53continue_gatewayinvalid address readfromunixgram
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: invalid escape sequenceunsupported certificateno application protocolech accept confirmationCLIENT_TRAFFIC_SECRET_0SERVER_TRAFFIC_SECRET_0QUICEncryptionLevel(%v)varint integer overflowexit hook invoked panicpattern bits too long: too many pointers (>10)segment length too longunpacking Question.Nameunpacking Question.Typeskipping Question Classflate: internal error: invalid PrintableStringx509: malformed UTCTimex509: invalid key usagex509: malformed versionVariantTimeToSystemTimeSafeArrayCreateVectorExP224 point not on curveP256 point not on curveP384 point not on curveP521 point not on curveinvalid scalar encodingGetWindowThreadProcessId-EnableNetworkProtection\Coinomi\Coinomi\walletsfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWGetProcessImageFileNameWexec: Stdout already setskuld - made by hackirbyjson: unsupported type: RegisterClipboardFormatAinvalid argument to Intnunexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sapplication/octet-streamRequest Entity Too Largehttp: nil Request.Header116415321826934814453125582076609134674072265625AllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetConsoleCursorPositionSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDevicetracecheckstackownershiphash of unhashable type span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailable
Source: skuld3.exe, 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Ethereum\keystore%s\extensions-tempreflect.Value.UintGetExitCodeProcesssegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks availablestreams pipe errorLookupAccountNameWCreateFileMappingWGetFileAttributesWSetFileAttributesWCommandLineToArgvWunknown _txlock %qnon-minimal lengthtruncated sequencesequence truncatedcannot be negativeexceeded max depthinvalid character in numeric literalcontext.Backgroundunsupported formatbufio: buffer fullhttp: blank cookiereceived from peerFLOW_CONTROL_ERRORframe_goaway_shortproxy-authenticateUNKNOWN_SETTING_%dGo-http-client/2.0Go-http-client/1.1Temporary RedirectPermanent RedirectMethod Not AllowedExpectation Failedbad Content-Lengthfield value for %qIBM Code Page 1047IBM Code Page 1140Macintosh Cyrillicvalue out of range298023223876953125GetPerformanceInfoCM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDQueryServiceStatusCertGetNameStringWPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetComputerNameExWGetCurrentThreadIdGetModuleFileNameWGetModuleHandleExWGetVolumePathNameWRemoveDllDirectoryTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWreflect.Value.Elemreflect.Value.Typereflect: Zero(nil)adaptivestackstartdontfreezetheworldtraceadvanceperiodtracebackancestorsgarbage collectionsync.RWMutex.RLockGC worker (active)stopping the worldwait until GC endsbad lfnode addresssystem page size (elem align too big but memory size /gc/pauses:seconds because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preempt
Yara detected Credential Stealer
Source: Yara match File source: 13.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.skuld3.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: skuld3.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 3272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 2108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 4304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 6864, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Skuld Stealer
Source: Yara match File source: 13.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.skuld3.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.SecurityHealthSystray.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.1856085680.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1848546482.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1694869303.0000000000941000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1769455210.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1772275598.0000000000D71000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: skuld3.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 3272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 2108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 4304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecurityHealthSystray.exe PID: 6864, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545290 Sample: skuld3.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 57 ip-api.com 2->57 59 api.ipify.org 2->59 65 Antivirus / Scanner detection for submitted sample 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected Skuld Stealer 2->69 71 5 other signatures 2->71 10 skuld3.exe 2 2 2->10         started        15 SecurityHealthSystray.exe 2 1 2->15         started        17 SecurityHealthSystray.exe 2 1 2->17         started        signatures3 process4 dnsIp5 61 ip-api.com 208.95.112.1, 49731, 80 TUT-ASUS United States 10->61 63 api.ipify.org 104.26.13.205, 443, 49730 CLOUDFLARENETUS United States 10->63 55 C:\Users\user\...\SecurityHealthSystray.exe, PE32+ 10->55 dropped 73 Installs new ROOT certificates 10->73 75 Found many strings related to Crypto-Wallets (likely being stolen) 10->75 77 Uses cmd line tools excessively to alter registry or file data 10->77 19 WMIC.exe 1 10->19         started        21 conhost.exe 10->21         started        23 attrib.exe 1 10->23         started        25 attrib.exe 1 10->25         started        79 Antivirus detection for dropped file 15->79 81 Multi AV Scanner detection for dropped file 15->81 83 UAC bypass detected (Fodhelper) 15->83 85 Machine Learning detection for dropped file 15->85 27 cmd.exe 2 15->27         started        29 conhost.exe 15->29         started        31 cmd.exe 2 17->31         started        33 conhost.exe 17->33         started        file6 signatures7 process8 process9 35 fodhelper.exe 12 27->35         started        37 fodhelper.exe 27->37         started        39 fodhelper.exe 27->39         started        41 fodhelper.exe 12 31->41         started        43 fodhelper.exe 31->43         started        45 fodhelper.exe 31->45         started        process10 47 SecurityHealthSystray.exe 1 35->47         started        49 SecurityHealthSystray.exe 1 41->49         started        process11 51 conhost.exe 47->51         started        53 conhost.exe 49->53         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
api.ipify.org 104.26.13.205 true
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ true
  • URL Reputation: safe
 unknown
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown