General
-
Target
8405d21e1c93425521cfb286c44936ab8351dcc1e726b7792398323aa0448189N.exe
-
Size
41KB
-
Sample
250116-ggqdeavnax
-
MD5
680d53d3d912fd9912d1cccf8d4c51c0
-
SHA1
1dd7ff3eb9d538206a36928a6d17f8bbeabb70a0
-
SHA256
8405d21e1c93425521cfb286c44936ab8351dcc1e726b7792398323aa0448189
-
SHA512
d9acac1db90409995383994fe44346949aeb60ce09147401c7aa42d8e246cc744247dfe43ebb6e6008242247197f78bf8c20eabf43df3dd5f1663a3b07554459
-
SSDEEP
768:9zpVJi5kPTIukEYpcHOZ6rFSBZxkXNVkSXtfgn3JkcBwQoabJF7nbcuyD7Ur:N/JKiMLE9bOq5fgn6Ozoaz7nouy8r
Malware Config
Extracted
sakula
www.polarroute.com
Targets
-
-
Target
8405d21e1c93425521cfb286c44936ab8351dcc1e726b7792398323aa0448189N.exe
-
Size
41KB
-
MD5
680d53d3d912fd9912d1cccf8d4c51c0
-
SHA1
1dd7ff3eb9d538206a36928a6d17f8bbeabb70a0
-
SHA256
8405d21e1c93425521cfb286c44936ab8351dcc1e726b7792398323aa0448189
-
SHA512
d9acac1db90409995383994fe44346949aeb60ce09147401c7aa42d8e246cc744247dfe43ebb6e6008242247197f78bf8c20eabf43df3dd5f1663a3b07554459
-
SSDEEP
768:9zpVJi5kPTIukEYpcHOZ6rFSBZxkXNVkSXtfgn3JkcBwQoabJF7nbcuyD7Ur:N/JKiMLE9bOq5fgn6Ozoaz7nouy8r
Score10/10-
Sakula
Sakula is a remote access trojan with various capabilities.
-
Sakula family
-
Sakula payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1