General

  • Target

    eecf6c1f552ca12dca8086231c787a50N.exe

  • Size

    39KB

  • Sample

    240904-c9wnnsvgnh

  • MD5

    eecf6c1f552ca12dca8086231c787a50

  • SHA1

    4e191fe4b486f7800384550311809537f300aad3

  • SHA256

    b447d146d36dd7784ca1270850ec49ba600df047c24bbfe98354dcb8725944cc

  • SHA512

    1e61657add10206b7bfc72b0fefa115027953345055766cfd16ad44c91d40d0faa16ed913657375abea56dc69365585f02ad652899647515974500dd8704be28

  • SSDEEP

    768:EXgqefjKf3Z6qSRnzpdwT1RIj1egKRFXSp/Dfm982r7DK:QgqeGB6qAnzpdw5Y0wLm9h+

Malware Config

Extracted

Family

sakula

C2

www.savmpet.com

Targets

    • Target

      eecf6c1f552ca12dca8086231c787a50N.exe

    • Size

      39KB

    • MD5

      eecf6c1f552ca12dca8086231c787a50

    • SHA1

      4e191fe4b486f7800384550311809537f300aad3

    • SHA256

      b447d146d36dd7784ca1270850ec49ba600df047c24bbfe98354dcb8725944cc

    • SHA512

      1e61657add10206b7bfc72b0fefa115027953345055766cfd16ad44c91d40d0faa16ed913657375abea56dc69365585f02ad652899647515974500dd8704be28

    • SSDEEP

      768:EXgqefjKf3Z6qSRnzpdwT1RIj1egKRFXSp/Dfm982r7DK:QgqeGB6qAnzpdw5Y0wLm9h+

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks