General

  • Target

    74d983b827231f78a326eadd2eee6ec6_JC.exe

  • Size

    256KB

  • Sample

    231005-xcq25seb4t

  • MD5

    74d983b827231f78a326eadd2eee6ec6

  • SHA1

    f49275b9eb9f700d0fb841770efef5ec43315d16

  • SHA256

    979a62642b980c3dcde8ea135b89ca6d33bb7a96e47ae22e86c68c925cc082c7

  • SHA512

    046dfed929188c8d3ed2769067eba4e0a10b37421b7c40e953f7eb2176ebc80f2a9a0ade9309c139162d5724b189e54fe5bd7907eb23a3db9f7ee1cda7875c26

  • SSDEEP

    6144:rHkZeUwBxE1+ijiBKk3etdgI2MyzNORQtOfl1qNVo7R+S+N/c:TkZbw8EYiBlo

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      74d983b827231f78a326eadd2eee6ec6_JC.exe

    • Size

      256KB

    • MD5

      74d983b827231f78a326eadd2eee6ec6

    • SHA1

      f49275b9eb9f700d0fb841770efef5ec43315d16

    • SHA256

      979a62642b980c3dcde8ea135b89ca6d33bb7a96e47ae22e86c68c925cc082c7

    • SHA512

      046dfed929188c8d3ed2769067eba4e0a10b37421b7c40e953f7eb2176ebc80f2a9a0ade9309c139162d5724b189e54fe5bd7907eb23a3db9f7ee1cda7875c26

    • SSDEEP

      6144:rHkZeUwBxE1+ijiBKk3etdgI2MyzNORQtOfl1qNVo7R+S+N/c:TkZbw8EYiBlo

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks