sakula | 1632-2-0x0000000000400000-0x000000000040B000-memory[.]dmp

General

Target

1632-2-0x0000000000400000-0x000000000040B000-memory.dmp
Size

44KB
MD5

57e737527dadb8f43ef0856c21080f8c
SHA1

4b1b7cb83ae0d34b46e20629dd735ed79ddd2a0c
SHA256

a53a282dfa2097c14cf9f67251ad27148f4afcd4c5745909dec1b80d9cb86119
SHA512

5e0deb20a7de065f056b6d7cc366b18d1aa3dbabd5c8da99eef7943afe6579a29cd72379894ec4d8c4e34c795a08249c3af82b84345228e295ffdf6a21b4a529
SSDEEP

384:xhnyaz2ypQY5ZkV6BjqvhyY3Q6oVxYshTCY3WqPakgUt11iyBrUo7MgImBH+Tp:GnHY5ZkAF4hyYtoVxYshem1oUt1vnhBa

Score

10^/10

sakula

Malware Config

Extracted

Family

sakula

C2

http://vpn.premrera.com:443/viewpre.asp?cstring=%s&tom=%d&id=%d

http://vpn.premrera.com:443/photo/%s.jpg?id=%d

http://173.254.226.212:443/viewpre.asp?cstring=%s&tom=%d&id=%d

http://173.254.226.212:443/photo/%s.jpg?id=%d

Signatures

Sakula family
sakula

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
1632-2-0x0000000000400000-0x000000000040B000-memory.dmp

Files

1632-2-0x0000000000400000-0x000000000040B000-memory.dmp
.exe windows:4 windows x86

bac78d68d76cec273167912251c74570

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

user32

SendMessageA
CreateWindowExA
GetWindowRect
DrawTextA
EndPaint
ClientToScreen
ScreenToClient
SetWindowPos
LoadBitmapA
CallWindowProcA
GetDlgItemTextA
PeekMessageA
CreateDialogParamA
SetWindowTextA
ShowWindow
GetCursorPos
GetForegroundWindow
MessageBoxA
BeginPaint

wininet

InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetCloseHandle

shell32

IsUserAnAdmin

advapi32

OpenProcessToken
AllocateAndInitializeSid
GetTokenInformation
EqualSid
GetUserNameA
RegOpenKeyA
RegDeleteValueA
RegCloseKey
FreeSid

msvcrt

strcat
strcpy
sprintf
strlen
fopen
fseek
ftell
fread
fwrite
fclose
memset
time
gmtime
memcpy
free
malloc

kernel32

OpenProcess
OpenThread
GetTickCount
Sleep
VirtualProtect
ExitProcess
ExpandEnvironmentStringsA
GetModuleFileNameA
CreateDirectoryA
GetTempPathA
GetTempFileNameA
FindFirstFileA
GetSystemWow64DirectoryA
GetVersionExA
GetCurrentProcessId
MultiByteToWideChar
WideCharToMultiByte
RtlZeroMemory
CreatePipe
GetStartupInfoA
CreateProcessA
PeekNamedPipe
ReadFile
CreateFileA
SetFilePointer
GetFileSize
CloseHandle
GetVolumeInformationA
GetComputerNameA
GetModuleHandleA
GetProcAddress

Sections

code
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

bac78d68d76cec273167912251c74570

Headers

File Characteristics

Imports

user32

wininet

shell32

advapi32

msvcrt

kernel32

Sections

code Size: 32KB - Virtual size: 32KB

.rsrc Size: 8KB - Virtual size: 8KB

code
Size: 32KB - Virtual size: 32KB

.rsrc
Size: 8KB - Virtual size: 8KB