sality | 38cd5625a947de772cd84546e8fdb743d85d7ce7523ec30fbc5ecb8d7471703c | Triage

Resubmissions

29-11-2024 09:09

241129-k4q51axkaz 10

31-12-2023 09:44

231231-lqqsraeacp 10

Sharing

General

Target

38cd5625a947de772cd84546e8fdb743d85d7ce7523ec30fbc5ecb8d7471703c
Size

3.4MB
Sample

241129-k4q51axkaz
MD5

841907da61afc25c6c092c7fa2113201
SHA1

54f20ee5fc2a720d6a5c4d9cdd3efbf481a7a7ae
SHA256

38cd5625a947de772cd84546e8fdb743d85d7ce7523ec30fbc5ecb8d7471703c
SHA512

707cef7515033719a1f7a072feafb7072362419b01596f4521ace31f50aa36aa0f8a91a271f3518cb69762a6318f902bcc379641779454b60f9b877df34751cd
SSDEEP

49152:XsbUHw+HnsHyjtk2MYC5GDQICvNYGtOGjM8QvL4OkEqtFry3Vo5Sn7+:cbUHw+Hnsmtk2a9xYL49Eqtk3K5q7+

Score

10^/10

sality xred backdoor discovery evasion persistence trojan upx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

- Target
  
  38cd5625a947de772cd84546e8fdb743d85d7ce7523ec30fbc5ecb8d7471703c
- Size
  
  3.4MB
- MD5
  
  841907da61afc25c6c092c7fa2113201
- SHA1
  
  54f20ee5fc2a720d6a5c4d9cdd3efbf481a7a7ae
- SHA256
  
  38cd5625a947de772cd84546e8fdb743d85d7ce7523ec30fbc5ecb8d7471703c
- SHA512
  
  707cef7515033719a1f7a072feafb7072362419b01596f4521ace31f50aa36aa0f8a91a271f3518cb69762a6318f902bcc379641779454b60f9b877df34751cd
- SSDEEP
  
  49152:XsbUHw+HnsHyjtk2MYC5GDQICvNYGtOGjM8QvL4OkEqtFry3Vo5Sn7+:cbUHw+Hnsmtk2a9xYL49Eqtk3K5q7+
Score

10^/10

sality xred backdoor discovery evasion persistence trojan upx
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- Sality family
  sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

salityxredbackdoordiscoveryevasionpersistencetrojanupx