Overview

overview

8

Static

static

3

salinewin....01.exe

windows7-x64

1

salinewin-...ty.exe

windows7-x64

1

salinewin/...te.bat

windows7-x64

1

salinewin/...DL.dll

windows7-x64

1

salinewin/...-4.dll

windows7-x64

3

salinewin/...mu.exe

windows7-x64

1

salinewin/...ss.exe

windows7-x64

1

salinewin/...sm.exe

windows7-x64

1

salinewin/...in.exe

windows7-x64

7

salinewin/...bin.py

windows7-x64

3

salinewin/...in.exe

windows7-x64

8

salinewin-safety.exe

windows7-x64

1

salinewin.exe

windows7-x64

8

Sharing

Copy URL Twitter E-mail

General

  • Target

    salinewin.exe-Malware-main.zip

  • Size

    12.1MB

  • Sample

    240328-l4my1sab2x

  • MD5

    c8bf514a334eaa148cb3c6135c2fb394

  • SHA1

    0e47a89c3729db5a6f195c6abb04e5129d788df8

  • SHA256

    9127560918eaefe69f1959bcb7f7e13b7e3a7ac156b564922829faaec9b96f67

  • SHA512

    9879a258f429ef492cf495dbddd4f2b9c9fbc061e325aa8ad870ed05049b7ad595b26d223d20c55fc99f403fc9b5d0235353d71bf5d9a39ee4462838feb247ff

  • SSDEEP

    393216:HWK1J5ZA1mZ7oIWBb/P6VyeOgMt29aiGwLp7:H/V61mZUIWBbXkyeOh6a8Lp7

Score
8/10
bootkitevasionpersistence

Malware Config

Targets

    • Target

      salinewin.exe-Malware-main/old/salinewin 0.01.exe

    • Size

      76KB

    • MD5

      a2ff7fc5a6027b5437be56fcb3ba418f

    • SHA1

      85f3d2ec1d5b22958ca89651216cf7100a2a722f

    • SHA256

      f7dd7904f0aa943ea273dc91e91840a8c27fcccb699fee98801460c17817be5a

    • SHA512

      96f9a13b215ecb54b3759279d28a0b26217987ae5d1ef7a72d77c4afa28d336f83fc526195b8bcf57cab92942a9e30fc3812705e53c7b12a3cee14fca3a80562

    • SSDEEP

      1536:LHow1xvh8hUelTfjfutQ40Dv4yaLJ5inhzxDhjLYJAIsWk6cdG2357Rh:L+h9lTfj7lDv4/Pintxlo2Goxj

    Score
    1/10
    behavioral1

    • Target

      salinewin-safety/Release/salinewin-safety.exe

    • Size

      245KB

    • MD5

      601283c004aa6e4bcebfb6e844eb653c

    • SHA1

      9c3dde5abd1056497f03f5ae5a3dc6ffed1028cf

    • SHA256

      279a19315055e93a80c558bf9d9a7c8b4aba8fc8f8f3e812df8619e959abbcae

    • SHA512

      feeaebc7c097c724f0cea539729729a7512eb0c75c45b7395cd1d7b3ab643f11fb8b941373b30b12d14b837ff53793fdf49fd70f524c9f6391285d62cf4a7c06

    • SSDEEP

      3072:0Rz5n9Sae432oSLsMT3myjTvoTboVEBZP5pHQpYR95WPNp1wH:0T64a74LZPPHQpY35WPNpW

    Score
    1/10
    behavioral2

    • Target

      salinewin/PayloadMBR/Create.bat

    • Size

      397B

    • MD5

      61e988b23f22b1c21626df02ca92b010

    • SHA1

      bd60038f968325dbe556f583d0ae7ea306c6d332

    • SHA256

      05a3a4faa2422e5d923439f6bafb331e0c1a2a2a334f376bdda6a49feef90e09

    • SHA512

      cbc564bd2af5b901cacb2114ab26a4dce12575a3e6a2fb20547adfef0605b2481020faa9837556fcec3fbecee146ce373905535f58c86a8f1d81e624574b2538

    Score
    1/10
    behavioral3

    • Target

      salinewin/PayloadMBR/Programs/QEMU/SDL.dll

    • Size

      1.0MB

    • MD5

      cea03998e710dc5bfc4954cde440333d

    • SHA1

      a6490955fa171fd85a6e64d06642e129493c7ba4

    • SHA256

      0cce4795789a49c433d7f9d1ce7663f265f948f672ebde5fec41f2447fcd8741

    • SHA512

      c2aa76413fa9526abad2a3a61f3d0595027df32bcb7e0005a654625a7c894f386563d277ccda89d6eb96fdb869d262252927cfdf764c26c2dfd5cc966d23cfa3

    • SSDEEP

      12288:lFqs6ZgPvI6bw3uJwV/MRb2F6t1YAG7S86OIYO8iJghIQoXk6MEgw4u8XcQexssC:lFqs6gvIgoYSF6vE7CwoQ6LwUGdL

    Score
    1/10
    behavioral4

    • Target

      salinewin/PayloadMBR/Programs/QEMU/libcurl-4.dll

    • Size

      295KB

    • MD5

      baae54b1157b4c9587cceb4680b13da5

    • SHA1

      939642b482d3e7697cec88d11aebc07bb076c2d1

    • SHA256

      cde6e2b58641afd108ae2606337a71775021127a6109d6d64eadb056ca4598b7

    • SHA512

      433f411f740bb2978a47776fa856874717531985ca3bfbf17cb2f6d1e106585132a7a90ef7b803a10f1293aaad63f2264ee8a8aea2806593d6944e189e0ff813

    • SSDEEP

      6144:wK0GMvBI/QtKUbp9pDKRCzKuGpHTBI9yAR17rRH:wKEvB7Ke9pDXgHTdm7dH

    Score
    3/10
    behavioral5

    • Target

      salinewin/PayloadMBR/Programs/QEMU/qemu.exe

    • Size

      2.5MB

    • MD5

      98dfea60ecff618c2940823119a279b4

    • SHA1

      aab26cb098fdb76a4643044f494d9b09a7796038

    • SHA256

      fa2255e47506aa291b59f003b298b98b4ab50b4138a0be87fcbdc5a90696b9bc

    • SHA512

      306d9a66a0209d4c805fafbfbff88a9788574ab4999956fd03cda784a67b8dab2fb5d02ca0a7bdf269c7efc1e4564c0bd2f2e1c610ddf54b401c89e705d8613d

    • SSDEEP

      49152:mH1QTnKjzdXskm4AwiiBfFS28OSNI6EsGC+T:mSLKjRXskmPwLBfFGOSNhEsGC

    Score
    1/10
    behavioral6

    • Target

      salinewin/PayloadMBR/Programs/compress.exe

    • Size

      50KB

    • MD5

      884e43a197998dfeac6865c525321935

    • SHA1

      32c27b036332e795fbe1060bcb43fe84468e423b

    • SHA256

      abccc981147d5f9b43463e0f9ec6b7f168b7444626048c6c6a1c4dd7f8137096

    • SHA512

      558d587ec0d0f07555d13d9d3262dcfdd5c344d735a2b5220356554467f255c42345b2b2443ea373537a9c4098c66ad0368fb8b2c62dd1922308276df5a3775e

    • SSDEEP

      768:K4u2i8xCuM5AFEApuz7WHLeEA6vyFuu8A5U:ru0MApuereN6j

    Score
    1/10
    behavioral7

    • Target

      salinewin/PayloadMBR/Programs/nasm.exe

    • Size

      1.2MB

    • MD5

      288f2be6334f4ea09abf3209166f9ac1

    • SHA1

      c6c613aea50ee2f51518b2e5e0e1041ee101beb5

    • SHA256

      442f6f984804c2e08c151f5565c2fdddda3a899d8e380512f271a3edbbf34cb4

    • SHA512

      470ad18548d290bfbe4de768258ac6fc0863d28f4ad5bd8d169cff0d84f1326fb33351c5549c8f888258a7226ad8701ec2d913a8de300a96333403d60a510baa

    • SSDEEP

      12288:dzMVtmYR2GGsxc7rjzWzzEqGc3I/Iga5/:dQCYEGGsxcvjzWX5/

    Score
    1/10
    behavioral8

    • Target

      salinewin/PayloadMBR/Programs/png2bin.exe

    • Size

      8.5MB

    • MD5

      c6f98ceec41c080120ebd6121fab72a1

    • SHA1

      d4e06fafc5807055acccad44bf31031f765868f7

    • SHA256

      b6f3a0a6345932dca7df51b7cd7ec56d9c4fee9217772c4fd3efd8a37547a413

    • SHA512

      06d8a957d3f69cb89e4172e11b0c3f6377dfacfd119d7da364781cff18edcfe04b2f5a6c8741088241fe3b9c2cd5c5b5c6112e0ff90e94e160a46caecea56f24

    • SSDEEP

      196608:rgF+h90+7s8H9EmtqZiIP/Kr1zBB0PTAjQDCwkWt5JvVlkzKssOZK:rgF+h9fBGvrY1lOXHkW3O2ss

    Score
    7/10

    • Loads dropped DLL

    behavioral9

    • Target

      salinewin/PayloadMBR/Programs/png2bin.py

    • Size

      1KB

    • MD5

      32dfd28117b185e4870eaf506bb38af7

    • SHA1

      b3f3572f0f4403d90889ee5cae7f0774759a1328

    • SHA256

      f12bf9386320e3bf1419cc0227430d86c280d40a855b35aff36939f0396b11c7

    • SHA512

      247b2ab09495f1a596bfcd567df5a39742591164b1472fd5e6c13d02dbcef0906212a8c06ddfdc8233e11af01cbf8b32536fff1550d7dc7599153d55edcf974d

    Score
    3/10
    behavioral10

    • Target

      salinewin/Release/salinewin.exe

    • Size

      283KB

    • MD5

      2b1e9226d7e1015552a21faca891ec41

    • SHA1

      f87fcbe10fa9312048214d4473498ad4f9f331ce

    • SHA256

      7163fefbf2f865ef78a2d3d4480532fffb979300d6f0a77b6f3fc5c4b0d2cada

    • SHA512

      1852f6d05c9fca962178bc190bc8c90f0ca54ea99714480690f44417e49eee6c392579091ae8a6cd053ec47ad1980dbbbc0db3e0e00520ee1bdbadbf8dc9d69e

    • SSDEEP

      3072:HZVUJ58IAelkapH3shY6iEwgaBZP5pHQpYR95WPNpNMl3:nUJ5PzB5ZPPHQpY35WPNpGl3

    Score
    8/10
    bootkitevasionpersistence

    • Disables Task Manager via registry modification

      evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral11

    • Target

      salinewin-safety.exe

    • Size

      245KB

    • MD5

      601283c004aa6e4bcebfb6e844eb653c

    • SHA1

      9c3dde5abd1056497f03f5ae5a3dc6ffed1028cf

    • SHA256

      279a19315055e93a80c558bf9d9a7c8b4aba8fc8f8f3e812df8619e959abbcae

    • SHA512

      feeaebc7c097c724f0cea539729729a7512eb0c75c45b7395cd1d7b3ab643f11fb8b941373b30b12d14b837ff53793fdf49fd70f524c9f6391285d62cf4a7c06

    • SSDEEP

      3072:0Rz5n9Sae432oSLsMT3myjTvoTboVEBZP5pHQpYR95WPNp1wH:0T64a74LZPPHQpY35WPNpW

    Score
    1/10
    behavioral12

    • Target

      salinewin.exe

    • Size

      283KB

    • MD5

      2b1e9226d7e1015552a21faca891ec41

    • SHA1

      f87fcbe10fa9312048214d4473498ad4f9f331ce

    • SHA256

      7163fefbf2f865ef78a2d3d4480532fffb979300d6f0a77b6f3fc5c4b0d2cada

    • SHA512

      1852f6d05c9fca962178bc190bc8c90f0ca54ea99714480690f44417e49eee6c392579091ae8a6cd053ec47ad1980dbbbc0db3e0e00520ee1bdbadbf8dc9d69e

    • SSDEEP

      3072:HZVUJ58IAelkapH3shY6iEwgaBZP5pHQpYR95WPNpNMl3:nUJ5PzB5ZPPHQpY35WPNpGl3

    Score
    8/10
    bootkitevasionpersistence

    • Disables Task Manager via registry modification

      evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral13

MITRE ATT&CK Enterprise v15

Tasks