Overview

overview

10

Static

static

fd8385e107...0d.exe

windows7-x64

10

fd8385e107...0d.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    fd8385e107b465505506952f9bc806e74bd31d755ed514bf004e8b9012aec00d

  • Size

    196KB

  • Sample

    221107-eagftafcg3

  • MD5

    184bf4abba0af8444150e943e9867394

  • SHA1

    eb4a1b47b93c05e221c3f1ce4d2c76a5c3438137

  • SHA256

    fd8385e107b465505506952f9bc806e74bd31d755ed514bf004e8b9012aec00d

  • SHA512

    583bc4a2debe95e5e4efa6fc5406c7af8152331d265d1e29c981fca40597a15e617c9f26929fde2b8f05963e2c284319f13738ba8c38f0082a0d617fb11ddbae

  • SSDEEP

    3072:C01oJqzar89GFP3y4CpCfCGCCOCwC9CvCFCfCLCvCUCLC2FInROUSRSGSuSQSmS4:CJrrmGR3yGFInROJVmStyg9dx/kG/

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      fd8385e107b465505506952f9bc806e74bd31d755ed514bf004e8b9012aec00d

    • Size

      196KB

    • MD5

      184bf4abba0af8444150e943e9867394

    • SHA1

      eb4a1b47b93c05e221c3f1ce4d2c76a5c3438137

    • SHA256

      fd8385e107b465505506952f9bc806e74bd31d755ed514bf004e8b9012aec00d

    • SHA512

      583bc4a2debe95e5e4efa6fc5406c7af8152331d265d1e29c981fca40597a15e617c9f26929fde2b8f05963e2c284319f13738ba8c38f0082a0d617fb11ddbae

    • SSDEEP

      3072:C01oJqzar89GFP3y4CpCfCGCCOCwC9CvCFCfCLCvCUCLC2FInROUSRSGSuSQSmS4:CJrrmGR3yGFInROJVmStyg9dx/kG/

    Score
    10/10
    salitybackdoorevasionpersistencetrojanupx

    • Modifies firewall policy service

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks