General
-
Target
e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8
-
Size
192KB
-
Sample
240616-d89pkssbmq
-
MD5
ec953ec76ac11945eac9411f9a9e236f
-
SHA1
f07b89285cb1b6e5eb30dcd91e0bb15148d56299
-
SHA256
e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8
-
SHA512
e4fe63e4290a4d7a5d12aabe606e02989b707a725e6e0db069fd23c6aa4144300cefd5a8290c80cc664e072f3cae59927a8087a2e9e3e904e8f568b542578a28
-
SSDEEP
6144:a2B0AS6cap7O+7sQvMRlkM4RD/qzMfUVIO:a8FZBOqMRGM4h/qofbO
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8
-
Size
192KB
-
MD5
ec953ec76ac11945eac9411f9a9e236f
-
SHA1
f07b89285cb1b6e5eb30dcd91e0bb15148d56299
-
SHA256
e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8
-
SHA512
e4fe63e4290a4d7a5d12aabe606e02989b707a725e6e0db069fd23c6aa4144300cefd5a8290c80cc664e072f3cae59927a8087a2e9e3e904e8f568b542578a28
-
SSDEEP
6144:a2B0AS6cap7O+7sQvMRlkM4RD/qzMfUVIO:a8FZBOqMRGM4h/qofbO
Score10/10-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
-
UPX dump on OEP (original entry point)
-
Disables RegEdit via registry modification
-
Sets file execution options in registry
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
10Hide Artifacts
2Hidden Files and Directories
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3