General

  • Target

    658752ba9a98b9a176411424d2cd5cbd33088e0c59645015dd2f76284added58N.exe

  • Size

    432KB

  • Sample

    241204-2emjyszqem

  • MD5

    3880845a9a58821707b0354fca94a9c0

  • SHA1

    8a42949c4466401dc1a3c6accda078a915dc3892

  • SHA256

    658752ba9a98b9a176411424d2cd5cbd33088e0c59645015dd2f76284added58

  • SHA512

    1c0bd3d5648807c8e21d5a388d6c003f05a75503a51c6e464612647c5ccdbfadca49f65a277f30389743c3610e1ee2346d79eb7c891f5cfa09c7481d4c65e75d

  • SSDEEP

    12288:nlDzNwTWdB4fEBcjMAKfxTDyZ6MnfZm01lNphrVD:nlKTgB+EKKJTDyo0hv1lNpjD

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      658752ba9a98b9a176411424d2cd5cbd33088e0c59645015dd2f76284added58N.exe

    • Size

      432KB

    • MD5

      3880845a9a58821707b0354fca94a9c0

    • SHA1

      8a42949c4466401dc1a3c6accda078a915dc3892

    • SHA256

      658752ba9a98b9a176411424d2cd5cbd33088e0c59645015dd2f76284added58

    • SHA512

      1c0bd3d5648807c8e21d5a388d6c003f05a75503a51c6e464612647c5ccdbfadca49f65a277f30389743c3610e1ee2346d79eb7c891f5cfa09c7481d4c65e75d

    • SSDEEP

      12288:nlDzNwTWdB4fEBcjMAKfxTDyZ6MnfZm01lNphrVD:nlKTgB+EKKJTDyo0hv1lNpjD

    • Disables service(s)

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • Sality family

    • UAC bypass

    • Windows security bypass

    • Blocklisted process makes network request

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks