General

  • Target

    626e983563d5ae23d9efead5a63b89a6d55ad8c3a6a2342d86c5b94fbd3d6454N.exe

  • Size

    240KB

  • Sample

    241219-fyqvts1khr

  • MD5

    89ebceea688bbee190812f8c33dd5910

  • SHA1

    1301a28798ab31fd0fb9d62e96b0ba08d0b59316

  • SHA256

    626e983563d5ae23d9efead5a63b89a6d55ad8c3a6a2342d86c5b94fbd3d6454

  • SHA512

    c5051e64c921afe6bc9af4c5af84ad048490201260d739c58f2dd904ede24f19937e0a468d514c3516e387fbaa4a39ed0f865c04e975ac4fda8bb63bbd4da475

  • SSDEEP

    1536:+MJSA0wu18fL22ATdhuJyFXlyC1doZVNcEvkUbPcuwNuXW4ys/Fd+FSbawIInAsB:+MJZ0XiujuJZKmaGYYXW4ymo47DhdP

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      626e983563d5ae23d9efead5a63b89a6d55ad8c3a6a2342d86c5b94fbd3d6454N.exe

    • Size

      240KB

    • MD5

      89ebceea688bbee190812f8c33dd5910

    • SHA1

      1301a28798ab31fd0fb9d62e96b0ba08d0b59316

    • SHA256

      626e983563d5ae23d9efead5a63b89a6d55ad8c3a6a2342d86c5b94fbd3d6454

    • SHA512

      c5051e64c921afe6bc9af4c5af84ad048490201260d739c58f2dd904ede24f19937e0a468d514c3516e387fbaa4a39ed0f865c04e975ac4fda8bb63bbd4da475

    • SSDEEP

      1536:+MJSA0wu18fL22ATdhuJyFXlyC1doZVNcEvkUbPcuwNuXW4ys/Fd+FSbawIInAsB:+MJZ0XiujuJZKmaGYYXW4ymo47DhdP

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • Sality family

    • UAC bypass

    • Windows security bypass

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks