General

  • Target

    8f53ab062cb91c5faf7d4a35e9965778a954abcbfec281e05f6caa146d1f3053

  • Size

    156KB

  • Sample

    220919-bbmsfaheg6

  • MD5

    305d6611ac8c0768220b08198f08deb2

  • SHA1

    2499e6f6baa73d32bd49fea0a4d0941bfae435fa

  • SHA256

    8f53ab062cb91c5faf7d4a35e9965778a954abcbfec281e05f6caa146d1f3053

  • SHA512

    8369cedd51eed5f3f3868bed6d6e42c6152513475519e569d4571c273d0863810dce5ceeab8291f9e48b392855b2ed55d9030d9598c38b2c3366db320546034e

  • SSDEEP

    3072:1fIsmpcReL9zINbWwhVpkSp2Z7L4RSoTPFcuFp+xPI:RIsmxL4/VfI7LbccuD+i

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      8f53ab062cb91c5faf7d4a35e9965778a954abcbfec281e05f6caa146d1f3053

    • Size

      156KB

    • MD5

      305d6611ac8c0768220b08198f08deb2

    • SHA1

      2499e6f6baa73d32bd49fea0a4d0941bfae435fa

    • SHA256

      8f53ab062cb91c5faf7d4a35e9965778a954abcbfec281e05f6caa146d1f3053

    • SHA512

      8369cedd51eed5f3f3868bed6d6e42c6152513475519e569d4571c273d0863810dce5ceeab8291f9e48b392855b2ed55d9030d9598c38b2c3366db320546034e

    • SSDEEP

      3072:1fIsmpcReL9zINbWwhVpkSp2Z7L4RSoTPFcuFp+xPI:RIsmxL4/VfI7LbccuD+i

    • Modifies visiblity of hidden/system files in Explorer

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v6

Tasks