General

  • Target

    a1d842f11aedee4ea2d681b25ce900b0N.exe

  • Size

    41KB

  • Sample

    240831-egq9lavbpj

  • MD5

    a1d842f11aedee4ea2d681b25ce900b0

  • SHA1

    dbc6c4608d6fe60968c9e4ea0fbe4f8d805c39c5

  • SHA256

    76cb213faa95d51b6022a3f936437657c8ef499571978774684075f73782b522

  • SHA512

    8ace17b75d9aafe60cfafcc88394f5ca87b1d1b44c0503750c7c08c7f2dc8cc19fecc8fa4601dd92f3f1f36bcfda6651053796aed6cfb9a0e5df3ed5f7c12cb9

  • SSDEEP

    768:9zpVJi5kPTIukEYpcHOZ6rFSBZxkXNVkSXtfgn3JkcBwQoabJF7nbcuyD7Ua:N/JKiMLE9bOq5fgn6Ozoaz7nouy8a

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Targets

    • Target

      a1d842f11aedee4ea2d681b25ce900b0N.exe

    • Size

      41KB

    • MD5

      a1d842f11aedee4ea2d681b25ce900b0

    • SHA1

      dbc6c4608d6fe60968c9e4ea0fbe4f8d805c39c5

    • SHA256

      76cb213faa95d51b6022a3f936437657c8ef499571978774684075f73782b522

    • SHA512

      8ace17b75d9aafe60cfafcc88394f5ca87b1d1b44c0503750c7c08c7f2dc8cc19fecc8fa4601dd92f3f1f36bcfda6651053796aed6cfb9a0e5df3ed5f7c12cb9

    • SSDEEP

      768:9zpVJi5kPTIukEYpcHOZ6rFSBZxkXNVkSXtfgn3JkcBwQoabJF7nbcuyD7Ua:N/JKiMLE9bOq5fgn6Ozoaz7nouy8a

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks