Overview

overview

10

Static

static

10

059ba058df...49.exe

windows7_x64

10

059ba058df...49.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949

  • Size

    216KB

  • Sample

    220212-m3rfgsdbdj

  • MD5

    e78b7322cd18724a50ab5b8a2ddd0886

  • SHA1

    43447243c511235028d38285b65d3c7e02e740b9

  • SHA256

    059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949

  • SHA512

    abdb2dba403e2154800f18f9448e62e285ee509bcfca591c167fd663f7f40848981a34c97e335b81a4937af5e3fb4485a4f82aa33ea5a808ff2bddd63191131f

Score
10/10
sakulapersistenceratsuricatatrojanupx

Malware Config

Targets

    • Target

      059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949

    • Size

      216KB

    • MD5

      e78b7322cd18724a50ab5b8a2ddd0886

    • SHA1

      43447243c511235028d38285b65d3c7e02e740b9

    • SHA256

      059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949

    • SHA512

      abdb2dba403e2154800f18f9448e62e285ee509bcfca591c167fd663f7f40848981a34c97e335b81a4937af5e3fb4485a4f82aa33ea5a808ff2bddd63191131f

    Score
    10/10
    sakulapersistenceratsuricatatrojanupx

    • Sakula

      Sakula is a remote access trojan with various capabilities.

      trojanratsakula

    • Sakula Payload

    • suricata: ET MALWARE SUSPICIOUS UA (iexplore)

      suricata: ET MALWARE SUSPICIOUS UA (iexplore)

      suricata

    • suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

      suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

      suricata

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks