MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SakulaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825
SHA3-384 hash: 0acc68ffaa5bf18236796786d1704ca2ed31f7cc036124d49e9f4d800e406a20a692a8c67e5bb476685037c73ed2c0cd
SHA1 hash: 33cb9adfbb9e8b6d753df9389bfa6c081cb1ab33
MD5 hash: 51d60455b6e1b9f562564450dc2dd2d3
humanhash: bravo-timing-carpet-earth
File name:2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825
Download: download sample
Signature SakulaRAT
Create hunting rule
File size:61'440 bytes
First seen:2022-03-23 09:34:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b4e734e734027217722fe4eb0093f3d (6 x SakulaRAT)
ssdeep 1536:iZioIoCwbYP4nuEApQK4TQbtY2gA9DX+ytBO8c3G3eTJ/r:iEoIlwIguEA4c5DgA9DOyq0eFT
Threatray 6'603 similar samples on MalwareBazaar
TLSH T1FC5302D1B2BB08D8C198A673021A5F8C6525C9AE4260D6D7A7CC722CDCE2E30F3711E5
Reporter JAMESWT_WT
Tags:exe SakulaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Sakula
Create hunting rule
Link:
https://www.capesandbox.com/analysis/256085/
Detection(s):
Win.Malware.Scar-6745903-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/623ae9da0cd58dbd92de6f01/reports/e0ec4b80-21fa-414d-af2b-0c1238520fa2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Sakula RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962636
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found evasive API chain checking for user administrative privileges
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Uses ping.exe to check the status of other devices and networks
Yara detected Sakula RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 595130 Sample: ywU5dPli4a Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Antivirus detection for URL or domain 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 3 other signatures 2->43 7 ywU5dPli4a.exe 1 3 2->7         started        11 MediaCenter.exe 12 2->11         started        process3 dnsIp4 25 C:\Users\user\AppData\...\MediaCenter.exe, MS-DOS 7->25 dropped 45 Detected unpacking (changes PE section rights) 7->45 47 Self deletion via cmd delete 7->47 49 Found evasive API chain checking for user administrative privileges 7->49 14 MediaCenter.exe 12 7->14         started        18 cmd.exe 1 7->18         started        31 citrix.vipreclod.com 11->31 file5 signatures6 process7 dnsIp8 33 citrix.vipreclod.com 14->33 35 184.22.175.13, 80 AIS-FIBRE-AS-APAISFibreTH Thailand 14->35 51 Antivirus detection for dropped file 14->51 53 Detected unpacking (changes PE section rights) 14->53 55 Machine Learning detection for dropped file 14->55 57 Found evasive API chain checking for user administrative privileges 14->57 59 Uses ping.exe to check the status of other devices and networks 18->59 20 PING.EXE 1 18->20         started        23 conhost.exe 18->23         started        signatures9 process10 dnsIp11 27 127.0.0.1 unknown unknown 20->27 29 192.168.2.1 unknown unknown 20->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825/
Threat name:
Win32.Trojan.Sakurel
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 21:09:00 UTC
AV detection:
34 of 41 (82.93%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
sakularat
Create hunting rule
Similar samples:
2034913d5e026d6202f565de48e245652c11b79fc546481c6feac7f93f7e879f
SakulaRAT
4882622a4c8ab3952d8594a25e372dc2d4abc1f289b4aa695cc19cfa2522f476
SakulaRAT
68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745
SakulaRAT
6d9e844f3b138da311b2bcc78ebc006042ac59075077f56dd9d52d21578caf59
SakulaRAT
764584f517064ea8c3e3e5077fe98e6a479986db55d93f5b071991cdcce89630
SakulaRAT
9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e
SakulaRAT
ba2d41c16c8e42d91e08833e66a013ebc70c0cf8fc83b08fcae97077d64ac442
SakulaRAT
dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2
SakulaRAT
dd97fc50c2d66e182adc190aaa8740f60df6d801bf221d69184032c62c44c89a
SakulaRAT
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f
SakulaRAT
+ 6'593 additional samples on MalwareBazaar
Result
Malware family:
sakula
Create hunting rule
Score:
  10/10
Tags:
family:sakula persistence rat trojan
Link:
https://tria.ge/reports/220323-ljw17agbdk/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Sakula
Unpacked files
SH256 hash:
48d9baa9750e346a871fb58ed23e2d3e1e6be8ddde033c4542859722e5ebba77
MD5 hash:
b1a4fb7dbab604d405e46f177661f214
SHA1 hash:
ad3f183e89bbb17a24f05d74984422ca9c449a2b
Detections:
win_sakula_rat_w2
Create hunting rule
win_sakula_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/f64575a2-8c85-4be4-94b2-1cf62686b58d/
SH256 hash:
2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825
MD5 hash:
51d60455b6e1b9f562564450dc2dd2d3
SHA1 hash:
33cb9adfbb9e8b6d753df9389bfa6c081cb1ab33
Link:
https://www.unpac.me/results/f64575a2-8c85-4be4-94b2-1cf62686b58d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/256085/

Comments