sakula | f1600f2961c2101189dd6666935d4e7c2af69aacce417b527e41584b53bc4225 | Triage

Submit
Reports

Overview

overview

Static

static

bccf42d805...JC.exe

windows7-x64

bccf42d805...JC.exe

windows10-2004-x64

Sharing

General

Target

bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe
Size

212KB
Sample

230908-wznpvsee56
MD5

bccf42d805b13678fb0459ece5aa915f
SHA1

307c9a9e7440de03c051736a5977662d5546bcae
SHA256

f1600f2961c2101189dd6666935d4e7c2af69aacce417b527e41584b53bc4225
SHA512

25fa07e0c2c54b59d03a801e3fada1a61c73e813f52c1dced31d335ee1cffd78537859b55797c1a12ad225f4ea59eee96316af8315e1c170cf643d8b386435ba
SSDEEP

1536:VtQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0ManB/:429DkEGRQixVSjLc130BYgjXjpWnB/

Score

10^/10

sakula persistence rat trojan upx

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe

Resource

win7-20230831-en

sakula persistence rat trojan upx

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe

Resource

win10v2004-20230831-en

sakula persistence rat trojan upx

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

- Target
  
  bccf42d805b13678fb0459ece5aa915fexeexeexe_JC.exe
- Size
  
  212KB
- MD5
  
  bccf42d805b13678fb0459ece5aa915f
- SHA1
  
  307c9a9e7440de03c051736a5977662d5546bcae
- SHA256
  
  f1600f2961c2101189dd6666935d4e7c2af69aacce417b527e41584b53bc4225
- SHA512
  
  25fa07e0c2c54b59d03a801e3fada1a61c73e813f52c1dced31d335ee1cffd78537859b55797c1a12ad225f4ea59eee96316af8315e1c170cf643d8b386435ba
- SSDEEP
  
  1536:VtQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0ManB/:429DkEGRQixVSjLc130BYgjXjpWnB/
Score

10^/10

sakula persistence rat trojan upx
- Sakula
  Sakula is a remote access trojan with various capabilities.
  trojan rat sakula
- Sakula payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

sakulapersistencerattrojanupx

behavioral2

sakulapersistencerattrojanupx

© 2018-2024

Terms | Privacy