Overview

overview

10

Static

static

38667f5ed3...99.exe

windows7-x64

10

38667f5ed3...99.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    38667f5ed3c6f2ecb44cee7425168d88e0899115d6bb00f7b3dc2d9ebd5ab399

  • Size

    386KB

  • Sample

    221030-cbhddsggfm

  • MD5

    5c15c1d455043105018b0a238d4ca930

  • SHA1

    c84c775104892134f6170e288496ba084c781ce6

  • SHA256

    38667f5ed3c6f2ecb44cee7425168d88e0899115d6bb00f7b3dc2d9ebd5ab399

  • SHA512

    dadc9b18b97c0723ba1b7007834acb6d849d7c8089271bd391f8180ce2c6e37acbd64f8aca998d31bbb9af1e676bac015b13e10f361a0067d61ffc6bdfeecb63

  • SSDEEP

    6144:EWH8H1bmbUWC3mzu84CGjvHyVHys1ifpkzpVuZABdg2+coSbjNp6tDm:gbmb/C3IzQyHyop8Zad/vjNE9m

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      38667f5ed3c6f2ecb44cee7425168d88e0899115d6bb00f7b3dc2d9ebd5ab399

    • Size

      386KB

    • MD5

      5c15c1d455043105018b0a238d4ca930

    • SHA1

      c84c775104892134f6170e288496ba084c781ce6

    • SHA256

      38667f5ed3c6f2ecb44cee7425168d88e0899115d6bb00f7b3dc2d9ebd5ab399

    • SHA512

      dadc9b18b97c0723ba1b7007834acb6d849d7c8089271bd391f8180ce2c6e37acbd64f8aca998d31bbb9af1e676bac015b13e10f361a0067d61ffc6bdfeecb63

    • SSDEEP

      6144:EWH8H1bmbUWC3mzu84CGjvHyVHys1ifpkzpVuZABdg2+coSbjNp6tDm:gbmb/C3IzQyHyop8Zad/vjNE9m

    Score
    10/10
    salitybackdoorevasionpersistencetrojanupx

    • Modifies firewall policy service

      evasion

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks