Overview

overview

10

Static

static

06fc2a1a5b...28.exe

windows7_x64

10

06fc2a1a5b...28.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928

  • Size

    2.3MB

  • Sample

    220605-skg2zsfhcn

  • MD5

    f7c557fc2403c86746f2f45a25b98920

  • SHA1

    fe7761f978e3d956cbe1c16a2ac4146b6ede54a9

  • SHA256

    06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928

  • SHA512

    a52ca721f7f17380bb26cf80e7515c53f39cab9453e21f6515c39975fa3c0cbc05d3e15efa4cf0c23035e9ee42c778f3cb0930c1f299fbd4c34b020f6af6fdbf

Score
10/10
salityaspackv2backdoorevasionsuricatatrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928

    • Size

      2.3MB

    • MD5

      f7c557fc2403c86746f2f45a25b98920

    • SHA1

      fe7761f978e3d956cbe1c16a2ac4146b6ede54a9

    • SHA256

      06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928

    • SHA512

      a52ca721f7f17380bb26cf80e7515c53f39cab9453e21f6515c39975fa3c0cbc05d3e15efa4cf0c23035e9ee42c778f3cb0930c1f299fbd4c34b020f6af6fdbf

    Score
    10/10
    salityaspackv2backdoorevasionsuricatatrojanupx

    • Modifies firewall policy service

      evasion

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks