MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SakulaRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745
SHA3-384 hash:	2195a12c8f013f4474dba0247266441a2885f390acdc7f1ecd458064b0c412f24873201715e256ce06e75a397a588034
SHA1 hash:	60332ac344938bfb47d02ad7dbdd275e9d1facc7
MD5 hash:	54f4351fa685e8fd8f7daa3d3a5919f8
humanhash:	potato-river-happy-high
File name:	68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745
Download:	download sample
Signature	SakulaRAT Create hunting rule
File size:	106'496 bytes
First seen:	2022-03-23 09:33:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3749d6854edd311c9d3b41e44c8a43a1 (9 x SakulaRAT)
ssdeep	1536:Roaj1hJL1S9t0MIeboal8bCKxo7h0RPaaml0Nz30rtrpxu:i0hpgz6xGhZamyF30BNxu
Threatray	6'567 similar samples on MalwareBazaar
TLSH	T19FA35A16B6D1C032E062153804B8E2635A7AF9324ABCC1977BC5177EBEB03D19D3AF56
Reporter	JAMESWT_WT
Tags:	exe SakulaRAT

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Sakula

Link:

https://www.capesandbox.com/analysis/256214/

Detection(s):

Win.Malware.Scar-6745903-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

DNS request

Сreating synchronization primitives

Running batch commands

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745/

Threat name:

Win32.Trojan.Doina

Status:

Malicious

First seen:

2022-03-14 21:19:00 UTC

File Type:

PE (Exe)

AV detection:

40 of 42 (95.24%)

Threat level:

5/5

Verdict:

malicious

Label(s):

sakularat

SakulaRAT

1db2ec499c11b096c4a468a878a9e6bb791183ca2156eb2e8c233fd7b172b607

SakulaRAT

2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825

SakulaRAT

4882622a4c8ab3952d8594a25e372dc2d4abc1f289b4aa695cc19cfa2522f476

SakulaRAT

4f48ef3036b8e2b724cbf9ec618f35baf7cb5e2017dc5fae4825659a28b58e68

SakulaRAT

6d9e844f3b138da311b2bcc78ebc006042ac59075077f56dd9d52d21578caf59

SakulaRAT

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e

SakulaRAT

dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2

SakulaRAT

dd97fc50c2d66e182adc190aaa8740f60df6d801bf221d69184032c62c44c89a

SakulaRAT

fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f

SakulaRAT

+ 6'557 additional samples on MalwareBazaar

Result

Malware family:

sakula

Score:

10/10

Tags:

family:sakula persistence rat trojan

Link:

https://tria.ge/reports/220323-ljlv8abgd2/

Behaviour

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Sakula

Sakula Payload

Unpacked files

SH256 hash:

68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745

MD5 hash:

54f4351fa685e8fd8f7daa3d3a5919f8

SHA1 hash:

60332ac344938bfb47d02ad7dbdd275e9d1facc7

Detections:

win_sakula_rat_auto

win_sakula_rat_w2

Link:

https://www.unpac.me/results/e154dff9-32ff-444b-8e60-f7f68ea1817d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	RAT_Sakula Create hunting rule
Author:	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings
Description:	Detects Sakula v1.0 RAT
Reference:	http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara

Rule name:	win_sakula_rat_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.sakula_rat.

Rule name:	win_sakula_rat_w2 Create hunting rule
Author:	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou
Description:	Sakula v1.2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/256214/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample