Overview

overview

10

Static

static

10

NEAS.1c1b1...JC.exe

windows7-x64

10

NEAS.1c1b1...JC.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEAS.1c1b19fed2e385b82c356d163a813060_JC.exe

  • Size

    212KB

  • Sample

    231014-rca32afa8t

  • MD5

    1c1b19fed2e385b82c356d163a813060

  • SHA1

    2c0a4fcd4e8c043a47e3a70498f8343808427b10

  • SHA256

    61398e6b900f17750e3069094b2a560f7c58f4432d38e200837012cbe465a065

  • SHA512

    792032b20956516eb4c2ecc69d73a6a8c1ba8a848e8da4f3ebec78de196aa2468f3f4cdaa8891b8b5f2ceb2be46e4e9edaddaa37000830947da39c8ffab00c5d

  • SSDEEP

    1536:YtQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0hanBW:L29DkEGRQixVSjLc130BYgjXjpnnBW

Score
10/10
sakulapersistencerattrojanupx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      NEAS.1c1b19fed2e385b82c356d163a813060_JC.exe

    • Size

      212KB

    • MD5

      1c1b19fed2e385b82c356d163a813060

    • SHA1

      2c0a4fcd4e8c043a47e3a70498f8343808427b10

    • SHA256

      61398e6b900f17750e3069094b2a560f7c58f4432d38e200837012cbe465a065

    • SHA512

      792032b20956516eb4c2ecc69d73a6a8c1ba8a848e8da4f3ebec78de196aa2468f3f4cdaa8891b8b5f2ceb2be46e4e9edaddaa37000830947da39c8ffab00c5d

    • SSDEEP

      1536:YtQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0hanBW:L29DkEGRQixVSjLc130BYgjXjpnnBW

    Score
    10/10
    sakulapersistencerattrojanupx

    • Sakula

      Sakula is a remote access trojan with various capabilities.

      trojanratsakula

    • Sakula payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks