Overview

overview

10

Static

static

10

781d0c8261...c2.exe

windows7-x64

10

781d0c8261...c2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    781d0c8261c34c71edef1b6e6f1ddf8fe122857799fd5e4375a69bc2c5af01c2

  • Size

    200KB

  • Sample

    221202-r2sz5sbf7z

  • MD5

    46dfcadc84fb0c9fe11db532862d11c2

  • SHA1

    34f6a2904e5a846182fb814eeda8d5b626155ecb

  • SHA256

    781d0c8261c34c71edef1b6e6f1ddf8fe122857799fd5e4375a69bc2c5af01c2

  • SHA512

    c8ad6538a32300c293b0ed131f3f269bbdede737fe4e9f24b909588ce681a30d6b17d0a4c6dbd245410cb44caeb08e2457b5d01ecca54c27272dbc7eb4592c91

  • SSDEEP

    3072:sr85CoxyVnojUWzawn3HRVysGCSgcyd7t9BrFr:k9oIV9WzaO3HDys3Bv19

Score
10/10
neshtasalitybackdoorevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      781d0c8261c34c71edef1b6e6f1ddf8fe122857799fd5e4375a69bc2c5af01c2

    • Size

      200KB

    • MD5

      46dfcadc84fb0c9fe11db532862d11c2

    • SHA1

      34f6a2904e5a846182fb814eeda8d5b626155ecb

    • SHA256

      781d0c8261c34c71edef1b6e6f1ddf8fe122857799fd5e4375a69bc2c5af01c2

    • SHA512

      c8ad6538a32300c293b0ed131f3f269bbdede737fe4e9f24b909588ce681a30d6b17d0a4c6dbd245410cb44caeb08e2457b5d01ecca54c27272dbc7eb4592c91

    • SSDEEP

      3072:sr85CoxyVnojUWzawn3HRVysGCSgcyd7t9BrFr:k9oIV9WzaO3HDys3Bv19

    Score
    10/10
    neshtapersistencespywarestealersalitybackdoorevasiontrojanupx

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Modify Existing Service

1
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

5
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks