General

  • Target

    b1ad36d1a5e338137454b76933e71d670160e9a9f3a47bfd7d99fa0a888aa18d

  • Size

    308KB

  • Sample

    240831-alh2kavarc

  • MD5

    fd282ca398de87d95c087279bb11c77c

  • SHA1

    f17f9e420b1c35b2622d53854240db423e3dd7ad

  • SHA256

    b1ad36d1a5e338137454b76933e71d670160e9a9f3a47bfd7d99fa0a888aa18d

  • SHA512

    c7a903d90c3336889adb4db32d8ddb0ce3263f54b44a24b893818c8d2efff42fa225977b5c32c289c360064df7923a8811996451fe33e09b671cef1e2f52e333

  • SSDEEP

    6144:1qJPXrcQlqtxgjqJglVT0HEU+XVq0Jq2o2SqEBejjjR+Bd9Vc4c3YXr:KTcQlqROJU+Fqsvo2SxejjjR+Bd9VcDc

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      a601c8375a61908e22ec9d8f50e24a838c717b635cc39144f12aef34de10221d

    • Size

      517KB

    • MD5

      27a929c376221c72dae86152bb970efd

    • SHA1

      2c53d1f801645d7cc59d5632926a45c0ecbade45

    • SHA256

      a601c8375a61908e22ec9d8f50e24a838c717b635cc39144f12aef34de10221d

    • SHA512

      10c56d07be32afe14c6ccba3c65465632ee5748ed337d89240b49a6a559ae4b622d43242acae494b6e3f9002756b557684cb6efb1c543fa1f93508e62fa01811

    • SSDEEP

      12288:0RfQn+w8EYiBlMkn5f9J105ko8T6csVeU:g4+wlYBsb3zNsh

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks