Behavioral task
behavioral1
Sample
cd6a99b286420dbdf0cf406203526e81.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
cd6a99b286420dbdf0cf406203526e81.exe
Resource
win10v2004-20231215-en
General
-
Target
cd6a99b286420dbdf0cf406203526e81
-
Size
517KB
-
MD5
cd6a99b286420dbdf0cf406203526e81
-
SHA1
2b83183925ad2b0e2da4c828cc80d99cf928039f
-
SHA256
6c6cb006bfc84ecb8913466123ecb832e4630539b6cc6040152516dbb914c825
-
SHA512
5a3d595cf824bea9ebff2568e2682f0c0b4633ea49d598fde9afbfbd18cc96a69afc0fb8df5d517c0fa8f7af4f9d532545e59146cff6710e35fef33d54f4f7a8
-
SSDEEP
12288:0RfQn+w8EYiBlMkn5f9J105ko8T6csVe2:g4+wlYBsb3zNsz
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula family
-
Sakula payload 1 IoCs
Processes:
resource yara_rule sample family_sakula -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource cd6a99b286420dbdf0cf406203526e81
Files
-
cd6a99b286420dbdf0cf406203526e81.exe windows:5 windows x86 arch:x86
4511896d043677e4ab4578dc5bcab5a0
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
GetCurrentThread
VirtualFree
ExpandEnvironmentStringsA
WriteFile
OpenProcess
WideCharToMultiByte
GetVolumeInformationA
Sleep
SizeofResource
CreateProcessA
TerminateProcess
ReadFile
GetSystemDirectoryA
MultiByteToWideChar
GetTickCount
CreateDirectoryA
GetStartupInfoA
FindFirstFileA
GetLastError
VirtualAlloc
FindClose
LockResource
CreatePipe
GetModuleFileNameA
GetVersionExA
WinExec
CloseHandle
GetCurrentProcessId
GetTempPathA
GetCurrentProcess
LoadResource
PeekNamedPipe
SetFilePointer
SetPriorityClass
FindResourceA
GetFileSize
CreateFileA
GetComputerNameA
SetThreadPriority
ExitProcess
GetProcessHeap
SetEndOfFile
GetStringTypeW
GetStringTypeA
GetModuleHandleW
GetProcAddress
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
GetCommandLineA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetStdHandle
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSectionAndSpinCount
HeapCreate
HeapReAlloc
RtlUnwind
GetConsoleCP
GetConsoleMode
SetHandleCount
GetFileType
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapSize
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
LCMapStringA
LCMapStringW
advapi32
RegOpenKeyA
GetUserNameA
FreeSid
AllocateAndInitializeSid
RegDeleteKeyA
EqualSid
RegSetValueExA
GetTokenInformation
OpenProcessToken
RegCloseKey
shell32
SHChangeNotify
ord680
ShellExecuteA
wininet
HttpOpenRequestA
InternetOpenUrlA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
InternetConnectA
InternetReadFile
Sections
.text Size: 55KB - Virtual size: 55KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rdata Size: 10KB - Virtual size: 9KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 6KB - Virtual size: 14KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 11KB - Virtual size: 11KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 4KB - Virtual size: 25KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE