General

  • Target

    6da22220b108c980af987da381ab6d9492b3335a7e49be5ed8b5d3e37bcd8222.exe

  • Size

    619KB

  • Sample

    250110-2dg8vatkck

  • MD5

    45de3207d7b557d14ddf799a4f2a1ee8

  • SHA1

    ae79fc632e57d30640beb22ba63616df4cacb498

  • SHA256

    6da22220b108c980af987da381ab6d9492b3335a7e49be5ed8b5d3e37bcd8222

  • SHA512

    393a0c3c018d1da56ff86fdd4de1e191ca47803fb9751b5eb1544e21ae9375ab6b98290505a966417d3796b8a96de29a16c7813ccde3e492d850333807259c7c

  • SSDEEP

    6144:3yCh485piYDNd1/0Pj/K3hYH95NCyyN0vTOHSShKS/w0tn0BIwMd7wvc4X4/ndLR:jl5lDN/0Pu3evNCwawIwM+m/HD

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Targets

    • Target

      6da22220b108c980af987da381ab6d9492b3335a7e49be5ed8b5d3e37bcd8222.exe

    • Size

      619KB

    • MD5

      45de3207d7b557d14ddf799a4f2a1ee8

    • SHA1

      ae79fc632e57d30640beb22ba63616df4cacb498

    • SHA256

      6da22220b108c980af987da381ab6d9492b3335a7e49be5ed8b5d3e37bcd8222

    • SHA512

      393a0c3c018d1da56ff86fdd4de1e191ca47803fb9751b5eb1544e21ae9375ab6b98290505a966417d3796b8a96de29a16c7813ccde3e492d850333807259c7c

    • SSDEEP

      6144:3yCh485piYDNd1/0Pj/K3hYH95NCyyN0vTOHSShKS/w0tn0BIwMd7wvc4X4/ndLR:jl5lDN/0Pu3evNCwawIwM+m/HD

    • Detect Neshta payload

    • Modifies firewall policy service

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Neshta family

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • Sality family

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Checks whether UAC is enabled

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks