MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd97fc50c2d66e182adc190aaa8740f60df6d801bf221d69184032c62c44c89a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SakulaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd97fc50c2d66e182adc190aaa8740f60df6d801bf221d69184032c62c44c89a
SHA3-384 hash: beeafc63d79c84727a4ea38ada5c3154cc40a95e171592804bc7d1d8f79acb0651736d1d19eac84f10ee5dcb8966b70d
SHA1 hash: 34f145bdaa7c0cf0ce6535725cc88a4099badcf5
MD5 hash: c1742828c782abc124b3383573bc9099
humanhash: mars-low-snake-music
File name:dd97fc50c2d66e182adc190aaa8740f60df6d801bf221d69184032c62c44c89a
Download: download sample
Signature SakulaRAT
Create hunting rule
File size:36'864 bytes
First seen:2022-03-23 09:34:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b4e734e734027217722fe4eb0093f3d (6 x SakulaRAT)
ssdeep 768:TwbYGCv4nuEcJpQK4TQbtKvXwXgA9lJJea+yGCJQqeWnAEv2647DC:TwbYP4nuEApQK4TQbtY2gA9DX+ytBO0
Threatray 6'603 similar samples on MalwareBazaar
TLSH T1BEF2E1E0B6B788C8C99C563751372A49A520C4AF051092E37BCCB72DE8D6F11FE715D5
Reporter JAMESWT_WT
Tags:exe SakulaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Sakula
Create hunting rule
Link:
https://www.capesandbox.com/analysis/256086/
Detection(s):
Win.Malware.Scar-6745903-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Сreating synchronization primitives
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/623ae9e10cd58dbd92de6f05/reports/e22dc103-820a-4041-b6d3-5aeccd9e4024/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Sakula RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962575
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found evasive API chain checking for user administrative privileges
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Uses ping.exe to check the status of other devices and networks
Yara detected Sakula RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 595055 Sample: F255Bv7shN Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Antivirus detection for URL or domain 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 3 other signatures 2->43 7 F255Bv7shN.exe 1 3 2->7         started        11 MediaCenter.exe 12 2->11         started        process3 dnsIp4 25 C:\Users\user\AppData\...\MediaCenter.exe, PE32 7->25 dropped 45 Detected unpacking (changes PE section rights) 7->45 47 Self deletion via cmd delete 7->47 49 Found evasive API chain checking for user administrative privileges 7->49 14 MediaCenter.exe 12 7->14         started        18 cmd.exe 1 7->18         started        29 citrix.vipreclod.com 11->29 file5 signatures6 process7 dnsIp8 31 citrix.vipreclod.com 14->31 33 184.22.175.13, 80 AIS-FIBRE-AS-APAISFibreTH Thailand 14->33 35 192.168.2.1 unknown unknown 14->35 51 Antivirus detection for dropped file 14->51 53 Detected unpacking (changes PE section rights) 14->53 55 Machine Learning detection for dropped file 14->55 57 Found evasive API chain checking for user administrative privileges 14->57 59 Uses ping.exe to check the status of other devices and networks 18->59 20 PING.EXE 1 18->20         started        23 conhost.exe 18->23         started        signatures9 process10 dnsIp11 27 127.0.0.1 unknown unknown 20->27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd97fc50c2d66e182adc190aaa8740f60df6d801bf221d69184032c62c44c89a/
Threat name:
Win32.Trojan.Sakurel
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 21:22:00 UTC
AV detection:
35 of 41 (85.37%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
sakularat
Create hunting rule
Similar samples:
2034913d5e026d6202f565de48e245652c11b79fc546481c6feac7f93f7e879f
SakulaRAT
2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825
SakulaRAT
4882622a4c8ab3952d8594a25e372dc2d4abc1f289b4aa695cc19cfa2522f476
SakulaRAT
68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745
SakulaRAT
6d9e844f3b138da311b2bcc78ebc006042ac59075077f56dd9d52d21578caf59
SakulaRAT
764584f517064ea8c3e3e5077fe98e6a479986db55d93f5b071991cdcce89630
SakulaRAT
9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e
SakulaRAT
ba2d41c16c8e42d91e08833e66a013ebc70c0cf8fc83b08fcae97077d64ac442
SakulaRAT
dae0b1a00a0f6f79177dafd7090b3c3f1c2d4e8956a0dd7a5d3eef9ca04ab3b2
SakulaRAT
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f
SakulaRAT
+ 6'593 additional samples on MalwareBazaar
Result
Malware family:
sakula
Create hunting rule
Score:
  10/10
Tags:
family:sakula persistence rat trojan
Link:
https://tria.ge/reports/220323-lkdw1agbel/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Sakula
Unpacked files
SH256 hash:
a7ffa35ebf830e8a05e06f8d46f39625059d652a47400db3fd9e10f9f4a81866
MD5 hash:
8e479f55e3875221424e97a59a24ae7b
SHA1 hash:
31fa4c01a86d1bd3a99e943b00b8436afe4bd1b7
Detections:
win_sakula_rat_w2
Create hunting rule
win_sakula_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/54b7d12a-7f6f-4512-b6aa-452ef210f7e3/
SH256 hash:
dd97fc50c2d66e182adc190aaa8740f60df6d801bf221d69184032c62c44c89a
MD5 hash:
c1742828c782abc124b3383573bc9099
SHA1 hash:
34f145bdaa7c0cf0ce6535725cc88a4099badcf5
Link:
https://www.unpac.me/results/54b7d12a-7f6f-4512-b6aa-452ef210f7e3/
Malware family:
Sakula
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dd97fc50c2d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd97fc50c2d66e182adc190aaa8740f60df6d801bf221d69184032c62c44c89a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/256086/

Comments