Extracted

• • Target

    50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

  • Size

    2.3MB

  • MD5

    921379bd587ab29da4dc23fb9d47fe36

  • SHA1

    e9db1731731503a81a2fdc67ffa005e6aa2a8038

  • SHA256

    50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

  • SHA512

    90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

  • SSDEEP

    49152:dtSuw/yQBQIlFZ4n5gcdRVGTZYf0hrSkW6OoXWr0u3r8t9V808b:hnID2n5pViC8hrRW9X78tjIb

  Score

  10^/10

  salitybackdoordiscoveryevasionpersistencetrojanupxdefense_evasion

  • Modifies firewall policy service

    evasion

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • Sality family

    sality

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Indicator Removal: Network Share Connection Removal

    Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Service Discovery

    Attempt to gather information on host's network.

    discovery

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2

• • Target

    $PLUGINSDIR/inetc.dll

  • Size

    21KB

  • MD5

    d7a3fa6a6c738b4a3c40d5602af20b08

  • SHA1

    34fc75d97f640609cb6cadb001da2cb2c0b3538a

  • SHA256

    67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

  • SHA512

    75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

  • SSDEEP

    384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu

  Score

  3^/10

  discovery
  behavioral3behavioral4

• • Target

    $R9/uihost32.exe

  • Size

    3.3MB

  • MD5

    4fca837855b3bced7559889adb41c4b7

  • SHA1

    04efbfdfc154938b8b60ace4c2d75fae0afd788a

  • SHA256

    8a366b1d30dd4d03ad8c5c18d0fb978d00d16f5f465bd59db6e09b034775c3ec

  • SHA512

    9b9b5ce67d46acb33d800095c2dbd8e64c82612653c15053f099c06e6ef1f5ed3c1f2232e3608259fd406f1ac86f500f157a46ec15946de70407bab5554e92f9

  • SSDEEP

    98304:JeMVCZJfIiM9zP7GAzjATtDJC0hNHY3RM:hCZfqzP7GAzjATtDJFN43m

  Score

  10^/10

  xmrigdiscoveryminer

  • Xmrig family

    xmrig

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner
  behavioral5behavioral6

• • Target

    $R9/uihost64.exe

  • Size

    2.8MB

  • MD5

    0211073feb4ba88254f40a2e6611fcef

  • SHA1

    3ce5aeeac3a1586d291552f541b5e6508f8b7cea

  • SHA256

    62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983

  • SHA512

    6ce06a15c5aa0fd78e01e5a2ef0507c1eba8bfe61ca5fc8d20526cb26f029f730f0ea1c34ce56c3f5db43aff1c2b05aa548b9514b17001c61d2a46660ee11fe7

  • SSDEEP

    49152:Bd/KnFvJzZNhDYoYYYYoMYYYYYYjiYiYiEJzdJzrBR/Ut7sIul5+0SVRwq9/32xq:MJzZNhDYoYYYYoMYYYYYYjiYiYiEJzde

  Score

  10^/10

  xmrigminer

  • Xmrig family

    xmrig

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner
  behavioral7behavioral8