Overview

overview

10

Static

static

10

NEAS.bed60...40.exe

windows7-x64

10

NEAS.bed60...40.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEAS.bed60eda7a4d8f06566e22d744209440.exe

  • Size

    190KB

  • Sample

    231102-t2gyzsha67

  • MD5

    bed60eda7a4d8f06566e22d744209440

  • SHA1

    61a4a45a643162246ce5759a3872142aac033d34

  • SHA256

    d0fa3cac57ce1f2751239db1c862425eacba97198be659a65541f00e3fbbe67c

  • SHA512

    884e2eef1e5fae3dcb43c0b464be69c5e4caf556c17566159d50ca13f6f5751d136a82fe573dd740c56ba64b0f129fd17d95bdde34904b1d4a0b93ebaaa3337f

  • SSDEEP

    3072:929DkEGRQixVSjLa130BYgjXjp+y9T7uZwOuz/xSj:929qRfVSnA30B7XjUbwBxO

Score
10/10
sakulapersistencerattrojanupx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      NEAS.bed60eda7a4d8f06566e22d744209440.exe

    • Size

      190KB

    • MD5

      bed60eda7a4d8f06566e22d744209440

    • SHA1

      61a4a45a643162246ce5759a3872142aac033d34

    • SHA256

      d0fa3cac57ce1f2751239db1c862425eacba97198be659a65541f00e3fbbe67c

    • SHA512

      884e2eef1e5fae3dcb43c0b464be69c5e4caf556c17566159d50ca13f6f5751d136a82fe573dd740c56ba64b0f129fd17d95bdde34904b1d4a0b93ebaaa3337f

    • SSDEEP

      3072:929DkEGRQixVSjLa130BYgjXjp+y9T7uZwOuz/xSj:929qRfVSnA30B7XjUbwBxO

    Score
    10/10
    sakulapersistencerattrojanupx

    • Sakula

      Sakula is a remote access trojan with various capabilities.

      trojanratsakula

    • Sakula payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks