Extracted

• • Target

    e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f

  • Size

    820KB

  • MD5

    14d0b4619c03706d5853c0cf3626cb6a

  • SHA1

    261dc7aac68bab5bf1ece7f5a9ba84f3346d807d

  • SHA256

    e6f2a5e151b1f6af1ee2bced68e67b601c36322b3a997c1e7fcdc616f437ab4f

  • SHA512

    a8f7d4b060dd5329bfe1620eb88d035b3e3b2345d8675d27a91bd1fc6e2f2c97c0cd6b965fb509daf74f197a786e2d0020b4b14cd5a7bace81c3082d6ebaa1d2

  • SSDEEP

    24576:ZFE//Tct4bOsgXOEiuZ/TML1VEvpc6L1S:bSVgXv/TrcaS

  Score

  10^/10

  upxsalitybackdoorevasionpersistencetrojan

  • Modifies firewall policy service

    evasion

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Adds policy Run key to start application

    persistence

  • Disables RegEdit via registry modification

    evasion

  • Disables Task Manager via registry modification

    evasion

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  behavioral1behavioral2