Overview

overview

10

Static

static

bbc6fd17ce...80.exe

windows7-x64

10

bbc6fd17ce...80.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    bbc6fd17ce8030ec7739e8afd1365feb2aa14f2f8bff4bb8ee6feaebaa829b80

  • Size

    396KB

  • Sample

    221127-ceernsfd2z

  • MD5

    52994d7b93772bcbf12b7c4450081811

  • SHA1

    e8210cc294f708e85489291157fe450de0c64eea

  • SHA256

    bbc6fd17ce8030ec7739e8afd1365feb2aa14f2f8bff4bb8ee6feaebaa829b80

  • SHA512

    0ecaaf64b29e4738bd80e37f8b45f570746756ee250fcaa7a4cee947e9f60ef573004d6c47da5ab936838231dbf34d9993b762249aaabe6c28adfa481ef5b8f4

  • SSDEEP

    6144:7+TWqJ3RsM/8E/IbRuLifI0r48PNGgcSc:KvJ3RsE7KQiTrVtcS

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      bbc6fd17ce8030ec7739e8afd1365feb2aa14f2f8bff4bb8ee6feaebaa829b80

    • Size

      396KB

    • MD5

      52994d7b93772bcbf12b7c4450081811

    • SHA1

      e8210cc294f708e85489291157fe450de0c64eea

    • SHA256

      bbc6fd17ce8030ec7739e8afd1365feb2aa14f2f8bff4bb8ee6feaebaa829b80

    • SHA512

      0ecaaf64b29e4738bd80e37f8b45f570746756ee250fcaa7a4cee947e9f60ef573004d6c47da5ab936838231dbf34d9993b762249aaabe6c28adfa481ef5b8f4

    • SSDEEP

      6144:7+TWqJ3RsM/8E/IbRuLifI0r48PNGgcSc:KvJ3RsE7KQiTrVtcS

    Score
    10/10
    salitybackdoorevasionpersistencetrojanupx

    • Modifies firewall policy service

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks