MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 087df168d78dcfd730fb669aad4b848c054f08cbab3c722c87a0be0aa5c598a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Sality


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 087df168d78dcfd730fb669aad4b848c054f08cbab3c722c87a0be0aa5c598a7
SHA3-384 hash: 9b12776d9ffe03e12f5084363f97858cbc86c7c6618a7165d2ad5dbbe0765f27013989ed62aec6412ce8dbf4539b7bd5
SHA1 hash: ffe310f517cc7e6e7dc6ca10007338b2c1d09f66
MD5 hash: 9940b1d4284582df2342b9c394b34d20
humanhash: pennsylvania-tango-equal-social
File name:SecuriteInfo.com.Win32.Sector.30.16924.15564
Download: download sample
Signature Sality
Create hunting rule
File size:1'128'810 bytes
First seen:2020-07-30 05:56:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'453 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 24576:C2UBmTqcQs+IfUjl/HmQ7W+pw/omRzhuBOd4Bv9c8YaXag:C2gmTq9jI8jdmQ7U/omJoQd4zOaV
Threatray 100 similar samples on MalwareBazaar
TLSH 083523B2D2B44C39F4A18E381E46E65488733F545430B47A355C6A6CBE2FE95CC6B3A3
Reporter SecuriteInfoCom
Tags:Sality

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35287/
Detection(s):
SecuriteInfo.com.Win32.Sector.30.16924.15564.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Launching a process
Changing an executable file
Modifying an executable file
Creating a file
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Blocking the Windows Security Center notifications
Blocking the User Account Control
Firewall traversal
Unauthorized injection to a system process
Unauthorized injection to a recently created process
Creating a file in the mass storage device
Enabling a "Do not show hidden files" option
Enabling autorun with system ini files
Unauthorized injection to a browser process
Infecting executable files
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Threat name:
Sality
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/403170
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject threads in other processes
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables UAC (registry)
Disables user account control notifications
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Writes to foreign memory regions
Yara detected Sality
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/087df168d78dcfd730fb669aad4b848c054f08cbab3c722c87a0be0aa5c598a7/
Threat name:
Win32.Virus.Sality
Create hunting rule
Status:
Malicious
First seen:
2020-07-25 06:46:00 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bb67c2gxrxh5omh3m2nk2s4erqcu6cglvm6helehuc7avjoftctq._file
Verdict:
malicious
Similar samples:
12a61e3e74a6aa8bebe2164a57985fbbb2781d40e30cc5be1b62f5cb70a6bfed
Sality
3bd940aa8cce3f10808d20494f3f10b34502a14321ea9bb50123016d82c2203f
Sality
59a2b8cc856bd455ef153acb5f1848c7da1aee9d0042900dbb29ef1e1262597a
Sality
5b2459c7aa6746f614a05a2797798fe09ecf294db3e2c1ddba33261e2f4acf8a
Sality
707025aabf49be938c24b5b6614d2008b928ff596fb405d7be2338b1cf1ae04d
Sality
854cd8ed0a2fb46f52cf610b77191562496c88eafa088cd2980d9c21bc3e8aa1
Sality
972f3786bcfaaae846c2d1d61cc148e8d3621e75a2fdac7dbf6e35d0b0ad29f3
Sality
a618654d80abab200243945d1fb26204acb5bcc6e145656b8fb7152d8ab6a52e
Sality
ca7b714d4501ec386efecaecdd0181d83de489321ddbd38da8efeb9925dc7bef
Sality
e37d69a8b607ea0e1e114223dfa6a7dbe40de485fa482e0370b886708a2992dd
Sality
+ 90 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx evasion trojan
Link:
https://tria.ge/reports/200730-t5vy5kfr72/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Drops autorun.inf file
Checks whether UAC is enabled
Checks whether UAC is enabled
Loads dropped DLL
Windows security modification
Windows security modification
UPX packed file
Executes dropped EXE
Executes dropped EXE
UPX packed file
UAC bypass
Modifies firewall policy service
Windows security bypass
Windows security bypass
Modifies firewall policy service
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Sality
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/087df168d78dcfd730fb669aad4b848c054f08cbab3c722c87a0be0aa5c598a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_sality_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Sality

Executable exe 087df168d78dcfd730fb669aad4b848c054f08cbab3c722c87a0be0aa5c598a7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/35287/
  
URLhaus
https://urlhaus.abuse.ch/url/421768/
  
Delivery method
Distributed via web download

Comments