Overview

overview

10

Static

static

10

NEAS.53f3c...e0.exe

windows7-x64

10

NEAS.53f3c...e0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe

  • Size

    212KB

  • Sample

    231014-whfb6aae5v

  • MD5

    53f3cbe3b6506b5c5eb1fc23e421b6e0

  • SHA1

    408185b166aee1c29eb805df03711789b42a2936

  • SHA256

    e0ddf1c40d03499d27db1420b83de2da1fdd609c8463faee3b7bfd6e62c42f0e

  • SHA512

    d8969498e845bd841739f3db4631ed088907512dce20181d7985324b10707252a35534d46f59c251deb7b88563bb6aa8af15c9903ac7d17c679f951145208358

  • SSDEEP

    1536:NtQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0GanBH:A29DkEGRQixVSjLc130BYgjXjpUnBH

Score
10/10
sakulapersistencerattrojanupx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe

    • Size

      212KB

    • MD5

      53f3cbe3b6506b5c5eb1fc23e421b6e0

    • SHA1

      408185b166aee1c29eb805df03711789b42a2936

    • SHA256

      e0ddf1c40d03499d27db1420b83de2da1fdd609c8463faee3b7bfd6e62c42f0e

    • SHA512

      d8969498e845bd841739f3db4631ed088907512dce20181d7985324b10707252a35534d46f59c251deb7b88563bb6aa8af15c9903ac7d17c679f951145208358

    • SSDEEP

      1536:NtQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0GanBH:A29DkEGRQixVSjLc130BYgjXjpUnBH

    Score
    10/10
    sakulapersistencerattrojanupx

    • Sakula

      Sakula is a remote access trojan with various capabilities.

      trojanratsakula

    • Sakula payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks