General

  • Target

    2024-02-28_8e326a6ed246425c95e6c760619bf646_cobalt-strike_floxif_icedid

  • Size

    830KB

  • Sample

    240228-hc4wnsdd9t

  • MD5

    8e326a6ed246425c95e6c760619bf646

  • SHA1

    c67c4401ddac7f9d043d2cdfc95010183f66805a

  • SHA256

    aafe297f6fc15192f36f7214b3aa893a2eac6f283ea5673673b2f1bf72adc337

  • SHA512

    5dc933072350915bdb351f87d9c4c2d62cd3d34a1551c53d809f91f3d8fa180af54008955876dc1cab3eee8e84ea47bb10fc9fcc565125afbf126aa73b3cf1a7

  • SSDEEP

    12288:DGlo/L9QuHJrwxXZsvqU1MapTQL00R1IitdG09apb5WCqBjvrEH7NKOt:4SQ+UXZnU1/psY0HIitY1p1WrEH7x

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      2024-02-28_8e326a6ed246425c95e6c760619bf646_cobalt-strike_floxif_icedid

    • Size

      830KB

    • MD5

      8e326a6ed246425c95e6c760619bf646

    • SHA1

      c67c4401ddac7f9d043d2cdfc95010183f66805a

    • SHA256

      aafe297f6fc15192f36f7214b3aa893a2eac6f283ea5673673b2f1bf72adc337

    • SHA512

      5dc933072350915bdb351f87d9c4c2d62cd3d34a1551c53d809f91f3d8fa180af54008955876dc1cab3eee8e84ea47bb10fc9fcc565125afbf126aa73b3cf1a7

    • SSDEEP

      12288:DGlo/L9QuHJrwxXZsvqU1MapTQL00R1IitdG09apb5WCqBjvrEH7NKOt:4SQ+UXZnU1/psY0HIitY1p1WrEH7x

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

    • UPX dump on OEP (original entry point)

    • Modifies AppInit DLL entries

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks