MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 1490af5dc5fa09c66d8d075885415f567ed0ce5588cec94eacc423135c494347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Sality
Vendor detections: 18
| SHA256 hash: | 1490af5dc5fa09c66d8d075885415f567ed0ce5588cec94eacc423135c494347 |
|---|---|
| SHA3-384 hash: | 45b38f4eb6e320c38e667763f9087fbfd95a19ee30e8d8a7f2840454e1667df346c70d936e4d35223c6486ccd1f402a1 |
| SHA1 hash: | cb752396327392f4be5ba71215e15e57b13d0ff1 |
| MD5 hash: | de702692d6ed669c9cbcb3a0e3b6af34 |
| humanhash: | massachusetts-king-white-floor |
| File name: | fa09d24d7481dbdfc1cff6aaa92d2aec908e037a22a02346f6feeee5d6ba688e.exe |
| Download: | download sample |
| Signature | Sality |
| File size: | 13'104'040 bytes |
| First seen: | 2025-03-17 04:04:13 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader) |
| ssdeep | 393216:3LNH1gz1+ZUUG9NWpHYV6ohIBfqHts7UU2wP3:3LZk1vUG964V6ysUs7U/u3 |
| Threatray | 52 similar samples on MalwareBazaar |
| TLSH | T1CED63370B34ACD87D5120D365BD16A3A89E2AC290DE1695BE3C2BF0DFE325153B4E712 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| dhash icon | d8e0d4f0f0b0d4c0 (4 x LummaStealer, 3 x Rhadamanthys, 1 x RiseProStealer) |
| Reporter |  2huMarisa |
| Tags: | exe Sality Virus |
Intelligence
File Origin
# of uploads :
1
# of downloads :
461
Origin country :
CZVendor Threat Intelligence
Malware family:
sality
ID:
1
File name:
fa09d24d7481dbdfc1cff6aaa92d2aec908e037a22a02346f6feeee5d6ba688e.exe
Verdict:
Malicious activity
Analysis date:
2025-03-17 04:07:11 UTC
Tags:
sality sainbox rat upx loader
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Tags:
autorun sality emotet
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file
Searching for synchronization primitives
Creating a window
Launching a process
Changing an executable file
Modifying an executable file
Enabling the 'hidden' option for recently created files
Blocking the Windows Security Center notifications
Blocking the User Account Control
Firewall traversal
Unauthorized injection to a system process
Creating a file in the mass storage device
Enabling a "Do not show hidden files" option
Enabling autorun with system ini files
Unauthorized injection to a browser process
Infecting executable files
Enabling threat expansion on mass storage devices
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
adaptive-context blackhole installer microsoft_visual_cc overlay
Verdict:
Malicious
Labled as:
Virus.Sality
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Sality
Verdict:
Malicious
Result
Threat name:
Sality
Detection:
malicious
Classification:
spre.evad
Score:
88 / 100
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autorun.inf (USB autostart)
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables UAC (registry)
Disables user account control notifications
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Infects executable files (exe, dll, sys, html)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Modifies the windows firewall notifications settings
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Sality
Behaviour
Behavior Graph:
Score:
98%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Virus.Sality
Status:
Malicious
First seen:
2025-03-17 04:05:15 UTC
File Type:
PE (Exe)
Extracted files:
2099
AV detection:
33 of 36 (91.67%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
sality
Similar samples:
+ 42 additional samples on MalwareBazaar
Result
Malware family:
sality
Score:
10/10
Tags:
family:sality backdoor defense_evasion discovery trojan upx
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
UPX packed file
Checks whether UAC is enabled
Enumerates connected drives
Loads dropped DLL
Windows security modification
Modifies firewall policy service
Sality
Sality family
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
1490af5dc5fa09c66d8d075885415f567ed0ce5588cec94eacc423135c494347
MD5 hash:
de702692d6ed669c9cbcb3a0e3b6af34
SHA1 hash:
cb752396327392f4be5ba71215e15e57b13d0ff1
SH256 hash:
db38f6eca793081ef43c1a92265a0168961bd729f4b3d96110c38122029eebac
MD5 hash:
714ed387fe6cf3435d1b3231af84588c
SHA1 hash:
90c9dc001228bf049b29ca0e4deb2663f917f11e
SH256 hash:
f2c9e917172dcf4ec70ce71d3807a423afb9bc3ed977bf9d0e9ab76d985ffae8
MD5 hash:
4d821bd14fe4b7c93c55831dbeabc05b
SHA1 hash:
c2eb2c9d64f71097217c388a03e3b7914bf81650
SH256 hash:
d34b4e7472d1df3603be48d10c4a267281bc3d39ea64c424de408f0876a3035a
MD5 hash:
31de33a273cf87952e94d3534335a9b1
SHA1 hash:
4df636d4de33d549a3a6e27ca75e8eb60e77c77a
SH256 hash:
090ab2d0eeb543a0b185bdf939cf06031f874f2d11937404932f9934572388eb
MD5 hash:
4506b143e992a24b9ef74b8b6798e992
SHA1 hash:
0b65472bf809403c4e8a4a9dd8fe7dc1d89e5bf9
SH256 hash:
eadfc3958b96806208d5d3c07add0a458b83dbefd4396bbf0f00f3380b45ae54
MD5 hash:
3d1e9ec620595120ce399021258410ab
SHA1 hash:
169857175fe910ed5386a41d93d4d2655ad293d2
SH256 hash:
db427053589f1e51a9b95a1cd7325da259c6e5dd57fc11570c969f68fbfa723e
MD5 hash:
1dba69483f822c0b68971bd392ca0660
SHA1 hash:
1c27b97ae7ccad4fba8da41210b7480d04ae2768
SH256 hash:
7f1e7b2aac469ca7c692402108754c46c1b89c92ed248cf4daaf1aae01eadd9c
MD5 hash:
5fa78b36b155b157cd497c279b183d0f
SHA1 hash:
1c4106dbe79dc235e17ddc12b36843f2678fb55e
SH256 hash:
462bceac8cabaed4eeacb977d05e13db279fe3a027a7e90a782aa84a9b7f9e42
MD5 hash:
6bd819c70adaf624fc8375b7953b5f7b
SHA1 hash:
27c8e371840abe4ec10fb23876caeceea6e507f6
SH256 hash:
419485a096bc7d95f872ed1b9b7b5c537231183d710363beee4d235bb79dbe04
MD5 hash:
ee68463fed225c5c98d800bdbd205598
SHA1 hash:
306364af624de3028e2078c4d8c234fa497bd723
SH256 hash:
281f9317aabc46ceea886ed655bb93fefceead3170d4e15288428be4652a47fe
MD5 hash:
3067b042aa4d4a259fcbc311b8a202d2
SHA1 hash:
40204e38ad9182ec0b3c16ac7f8b19abcc9aa18c
SH256 hash:
9c31fd89d31f9e844549235cd6203fc26224f0a743bf4ec94bc6636ee42784e5
MD5 hash:
01521ca604791ccbe9b05e53534b4cf5
SHA1 hash:
431ac653f130a3d183dcc3ea5d1e80ffd8fcebfc
SH256 hash:
385c8b0c31586a04b1a7537ef5bde96d2ac1240139c397cca09749c665e72c6c
MD5 hash:
da2dd0ac211baded79e7db0f6d5c445b
SHA1 hash:
4fd4be61e212f9ace2d3090eb6194da183764b76
SH256 hash:
f0103830b9daa1a5bcb549e059c5920554154ece92d2e3c4454523fa59994a48
MD5 hash:
d69345e88c9e9532cd987e63e563fcb4
SHA1 hash:
5259aa1225849e9b47694c55016367d0a03ffda2
SH256 hash:
b7ca9cccc331d7aded6167f11b47e7a2ee30977da068ce7bd4bfc78b9ed5ff39
MD5 hash:
a5858bc3d0cb09cb1930a24c4fc33cce
SHA1 hash:
5a7ef25cb926b3e34bb00b405514a3156de7d9ab
SH256 hash:
6e7caff853e74139ae670e7801ff6460b8765af96a424d62d707f4ba295d34ab
MD5 hash:
81ed4488801688a6a7ce4013300d881e
SHA1 hash:
5b19c15b6d0dc22f9250ab53e2256ec22f778fed
SH256 hash:
3aef12f23135f3d041041d2307d45660cf42d2533897c8eb0137dc6ace18faa2
MD5 hash:
823fc8bc38ed2543e01bf2469b8ec875
SHA1 hash:
60254c01186068b75bb8f414c19ca5beabb2f42a
SH256 hash:
37164a6ae81627dea8a8e2b2996267afe1ffdb8afe6c2d7711195dafabe9ac42
MD5 hash:
9957f49de36aba7cb8c90c27588fca1a
SHA1 hash:
63901857140295b63b81945a9a8cab47b496fa6a
SH256 hash:
ea7800b89e49e7d7214c1405b4906f366096dfadff28d0732acb90ab2e9a99bd
MD5 hash:
9c266c2dc7eca5bcab2d8df4990e0c1f
SHA1 hash:
662da3d9ca18aacdbaef884065fbfffdfacfabfa
SH256 hash:
f2f554625983a32dd81875dbfd771a4d6ad4788cac1951396ee5246c311bdb40
MD5 hash:
74466f748880143f85b4364f5c8d990c
SHA1 hash:
66b4918f07282aa353ae148439347b0001d71360
SH256 hash:
a0260f995e2e1edde0f940b5438004493639e907de79500fedd29105de06ab9a
MD5 hash:
7f018e401975e6556e2a8ccad4b52758
SHA1 hash:
6a3149fd972a4a48dc1292ce70db587894e1b383
SH256 hash:
bd5a40a25cc32f47c32dc73350a2090e00f1d55c299ba8b36222cf703e9850d6
MD5 hash:
bfafc5e6a8f5c30ae356b37dd47a823f
SHA1 hash:
7c9c74868082226df8195caf02aad8802672305b
SH256 hash:
116cfa32499b2024474b82399823e1e5af2312e0830ac21b9472eb520723cdf6
MD5 hash:
742e61dcc7041c2e97b396cc81cda91e
SHA1 hash:
91346c2f53e5fafb268e437ca05a047863b0e751
SH256 hash:
7856109d11abce767f5b7de5c7b4929dfb4610ca63c09fd2312eaa7be2538726
MD5 hash:
e58b038512e401f6a4dd04cc755bfaa1
SHA1 hash:
9446bf8cc98dd858e6132eea113aa282fc56095c
SH256 hash:
6a6ab2e5dcc0ec9e74d93b79eafc88214672481fdf1ea4f23f66f399cf7b98d2
MD5 hash:
99232ebf3871fcd6c44af0b981b46918
SHA1 hash:
9fe15afe0248e92e9e1f2525ee7409963f0efe39
SH256 hash:
525a524e975f43af7d972c3523806567a96ef86d349acec9cf542612ca0966e0
MD5 hash:
ac8d9ac6ed1c4d1b80c9db3c86c31195
SHA1 hash:
a0bf08345eacaa10150fdd7c77f70aca839446ab
SH256 hash:
0da723dc13234e5a30285a7e2e3fb88aaf68de2697c665398b2ac1f55b541f0b
MD5 hash:
4a59f4d9c4cbfd24ededf1d0c4a440e6
SHA1 hash:
c7ae081b0379691744d907b3c06c75f88b1c85f8
SH256 hash:
f5b53f1695e3b8d2ac5b92490a59300f2e4d24fa1a60b581cd0072883a316a16
MD5 hash:
88d11b438afbdb2ffa67fe23e917f779
SHA1 hash:
cac6cd0f30fbbb329b427a117d39170d7cd6e8e2
SH256 hash:
09347e915263406f8a237300272927a573da1f4faa36e360ff5428bbc9e08ec9
MD5 hash:
6fc591307e61aebc513e1a4fc12cbc19
SHA1 hash:
d5408f1b097eca2f1cf4126a57ebc3f94c5f7f4b
SH256 hash:
9651a6b006e307ed4ec5c0d66b7ad8f3ce552ae7a69938d9a3a62ac5ac7f5694
MD5 hash:
8b8088ab542c0697eae51c46b16db51b
SHA1 hash:
d8bd7eeeaa47460ca4dd5e33e93943ed58490b74
SH256 hash:
8f8d98f851386ee36354820b73566497bfb592cf87c5f876907d1b2ccf977a25
MD5 hash:
4533c17d53314ea669a6bc329f2a7687
SHA1 hash:
e01e9b06657395c085472554335a0c5ba7e96ebb
SH256 hash:
b6cc2b7621fbc02de5311845ba0e4b7495e201454d7eafb6cff3ba20e29f3463
MD5 hash:
e9a1c6c62c078f7ac2bc9776c0c5e3f0
SHA1 hash:
e3df0f3e2565cb51553f0c6098a851ea190d01eb
SH256 hash:
1bb336b2deb72b1f1832d7974296e02ed11bb7674421acd93f8654baf03ee781
MD5 hash:
21a6bc8ca3781451d13971307998d026
SHA1 hash:
e96829f696dfc10a454829a4298b7803cd0c3980
SH256 hash:
75f71101e8b0a92ffcedc2362b12e6f8544c5141b87b6de90c53d2342b51a7f6
MD5 hash:
e8ca75cafc225471bb3429a8837d435d
SHA1 hash:
ff275a9ce89cbc2d8f8bd00df84c0bc30281a88c
SH256 hash:
12d2ce5214139fec057345d324388637f933c60770f90ac8aacc3290e39e369d
MD5 hash:
e1744118a035f07360c309da3fd6ebe7
SHA1 hash:
c84064bebbf95ed0acb3c0a6a2c3fbc55a4510c0
Detections:
win_sality_auto
win_sality_g0
sality
Sality_Malware_Oct16
INDICATOR_EXE_Packed_SimplePolyEngine
Parent samples :
e9f7f68eccbf03a44f620273a1091733166d66d2ec2d64bbb03119300fed543c
2f06361e4a81ff059d074de638106e1b9aeba6885819b15391ef25997f537bf1
7b23a666b13afaaba8005119e47c2f29f396c08a4d087abd3a0a254d3a6dbbe4
22c96890feb3ba58ca20a314d560e38f419f2eb2629b3c039b32815ec9539916
20ad1e6af5c86cb19ced3387f0a7928d98d5b62537d525d1a63e3ecd4a039bba
15c6840bc9c2de096c1a94d264da4d6d6cd148b7daf1b6399b76133a8a53b9d7
181695ba0cdd4904f94b59450af4022fb811da81f386dca90d439f7c66566c0b
775939b8bf22ee4999cebd8d9e1525ca9417464b5fe6ed1778f0a7b43d07d6ef
ecbc34e6b5739a37dc046dfecf8e067eff30b4d1a4bf7531147286fbb45e1be5
553fa159e5821f1847188e61ad2656550829d17b04b76eb8a1849a211605c6b2
2badff2b4c5f2bd4a0a40b75086a1a4d723ebb5d5d477fb7fdd9ba7a028903c9
14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964
7791f6e183515895b573412d3a79befa3e481e933a887fd4b51f515aad0bab95
c20a675a7c0046fd58a05b88fcd7be276f64dbcd291fb90a1fe92560a250cfd6
1248bf51c48a4325bf5765060d16d36f7d787f283e61513b6fa025d1b37c8b4c
b035c0d4a9bcaf0291c28662da3efdbb43296bbff24e96a0252a95998d91c972
7bb9e21749e29d8db44d7c033bcb5c9bbc7a04586cd0fc2f1091aa444ddd2aae
49829d913ad9361f4234eb5d45bd40ed6d657465263aa205cc44c0fbd27f7425
fe7312adcee75959980e8c85849fb18d24cbb39f0b1bb10ad53cddec70739fa1
f183afdbd9102f8f73a6194e3e5124314f4e77bfc9a2463ade664042550e6d36
9bf323d0fad8d66f4efeec4b03b3dd264c94c87a77c13ebbf1eb44b10a3b94ee
ce958e0fed577192e6d4a5ed1985acfe87e40b7c1527e7d6c93d745edde254a3
6333864c5e234f8622b331f72f2d6976e4cbd236d4ba943a9957d73341cb7db4
93ae1e3a03f14d568f81503cbd408294b7abbf7c252a1653635b40e96400ea2e
59ed81c319e33dcedb4571fa5f1252daa39bf94bd875d39e5cb7a1d9be032ad0
6702fef486a9118c11cbd50a3d920950a3e239332b4e2edc7ae84bd3c8951191
b594e7d2cd6cdaecba9978ca0929ac083d9588cf842c69475e477f442c6de66d
a865db64819d48be0bb2d15ac649b8e38823593aad09dc9af315441cdbcd598b
270496a7295b20141133c2270e6c037c9daf1b34d46dad6ef2bdfeae1dc8f78c
23d764c47d7c9b05bcbc874456bb1ebbc26e726944c2280d16710973953f1961
d4d75b95c87f9c2f5619752e878a6d99b17da4b75d9948f850824e2d0cec35ec
5d67421217598ead7df619e3b9ebc163d55302489c401a2cbe7257f0c3633f17
eae00bf2ce5d6e12a78682a4287d3ea10e4a8acd8db7231388281cff7bf653db
b4881a59d74b3cf79d3b137b9463eed5d1fe618a03cd50a27b07e237f371a41f
20b49c0ad729a35bc8dfce10bacda3083fe559309f87b4b91df6f5f17ecb0365
c22665c773d8bbc0b80479855c0c66211d3512b397fcfd2ba42b17bf1febbbf1
53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a
2a04208e8c8aaaf817cd501fbd33c25fee503d5718db169c2f7c8acac68e54bf
0e252c0d6caed04398b0d93b99fb698177dfa8f47706d019281a299c7344b4f2
83f08985cb0b16f7003bf3a71819cba4bb5bf53cfe0a4bdb4fec5131d46ba6f5
5fd6a9888f438acb32c7167edf14d09fc205cb12111121fd1a7c27d793d96e43
f8c306717404e547eb3b33ac8b4c50ea9dd828e72dbd661e36608c82f4a1dc7b
026c3a6ca8d97570ffb364d55e656d213a00b674dcc79fc5b9e67b267db39a21
e33165272a98374486916aac8ee23e881301a54aca5218ba1b4943917a8ca0be
1490af5dc5fa09c66d8d075885415f567ed0ce5588cec94eacc423135c494347
7fb1ef9b5fbdebbbb313c2e0b4fa26ed3eb4131eb31d95a065613cf0ae7abf1c
c6eded88237526dd547c1d9aa1bc08563bb478ea3a1012432a6c450ab0546177
83eaedff3f924be2f353caf7b6139959fbfcd4d0a0e853f355f1b099f5962dca
d845a27df63f11be5747a75554d5c3d16ec3a5fea9004a5821411760a4ca78fe
295cb7d68d38d06bc0218c99e5f4a8436637c356606c5e83f763a1a777a4c842
276a55013af5996b82cf0a2534987adc19c8ce9b0277d5fc3e5bc8e90aab8545
016c33b4df7b68f1d57a24a2137f199cd6a59f417c8dc49210e7a552d9b01936
160e27a3657f4f3be7bc08d8d9012a59aa616fa57cec4b0a85895329026ace97
bd113ea6d2915f0ee3546ab75ff3e0ae60e120365a2fbaaf42ffd3909a175db4
f693ee5261989061cb7e219d22b6cd549c30889acc0e527513ca6495255deddc
237d4d3519c19e499ccf9becf595b3d74635a95ce50e28d464d15500e8558586
21f1b99116e1894e2a15ca5f429d36cdbd558190a1686e17ac3f0d7142cfc151
6039aa551a78430376f281fe1dbd47f6823ee3f0547a726cddfe99b488a4b549
002a1fb348c592c6464f6f5a2a7a47a0e097733da8e9ae1aa939e86bd0fc75a2
a2008f02a0367b03c1aab6b53fd5e65356e76b553f9d36e9c64477448883ebd3
ce6102a9f4d29bf39d2667c4f81a0d4c735df47eeaca2c01e5294ec9a0b26e94
6ce384777feb1be07abaa5d2ce88fb2b5841d036118c01e00e4e375f06580a33
2f06361e4a81ff059d074de638106e1b9aeba6885819b15391ef25997f537bf1
7b23a666b13afaaba8005119e47c2f29f396c08a4d087abd3a0a254d3a6dbbe4
22c96890feb3ba58ca20a314d560e38f419f2eb2629b3c039b32815ec9539916
20ad1e6af5c86cb19ced3387f0a7928d98d5b62537d525d1a63e3ecd4a039bba
15c6840bc9c2de096c1a94d264da4d6d6cd148b7daf1b6399b76133a8a53b9d7
181695ba0cdd4904f94b59450af4022fb811da81f386dca90d439f7c66566c0b
775939b8bf22ee4999cebd8d9e1525ca9417464b5fe6ed1778f0a7b43d07d6ef
ecbc34e6b5739a37dc046dfecf8e067eff30b4d1a4bf7531147286fbb45e1be5
553fa159e5821f1847188e61ad2656550829d17b04b76eb8a1849a211605c6b2
2badff2b4c5f2bd4a0a40b75086a1a4d723ebb5d5d477fb7fdd9ba7a028903c9
14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964
7791f6e183515895b573412d3a79befa3e481e933a887fd4b51f515aad0bab95
c20a675a7c0046fd58a05b88fcd7be276f64dbcd291fb90a1fe92560a250cfd6
1248bf51c48a4325bf5765060d16d36f7d787f283e61513b6fa025d1b37c8b4c
b035c0d4a9bcaf0291c28662da3efdbb43296bbff24e96a0252a95998d91c972
7bb9e21749e29d8db44d7c033bcb5c9bbc7a04586cd0fc2f1091aa444ddd2aae
49829d913ad9361f4234eb5d45bd40ed6d657465263aa205cc44c0fbd27f7425
fe7312adcee75959980e8c85849fb18d24cbb39f0b1bb10ad53cddec70739fa1
f183afdbd9102f8f73a6194e3e5124314f4e77bfc9a2463ade664042550e6d36
9bf323d0fad8d66f4efeec4b03b3dd264c94c87a77c13ebbf1eb44b10a3b94ee
ce958e0fed577192e6d4a5ed1985acfe87e40b7c1527e7d6c93d745edde254a3
6333864c5e234f8622b331f72f2d6976e4cbd236d4ba943a9957d73341cb7db4
93ae1e3a03f14d568f81503cbd408294b7abbf7c252a1653635b40e96400ea2e
59ed81c319e33dcedb4571fa5f1252daa39bf94bd875d39e5cb7a1d9be032ad0
6702fef486a9118c11cbd50a3d920950a3e239332b4e2edc7ae84bd3c8951191
b594e7d2cd6cdaecba9978ca0929ac083d9588cf842c69475e477f442c6de66d
a865db64819d48be0bb2d15ac649b8e38823593aad09dc9af315441cdbcd598b
270496a7295b20141133c2270e6c037c9daf1b34d46dad6ef2bdfeae1dc8f78c
23d764c47d7c9b05bcbc874456bb1ebbc26e726944c2280d16710973953f1961
d4d75b95c87f9c2f5619752e878a6d99b17da4b75d9948f850824e2d0cec35ec
5d67421217598ead7df619e3b9ebc163d55302489c401a2cbe7257f0c3633f17
eae00bf2ce5d6e12a78682a4287d3ea10e4a8acd8db7231388281cff7bf653db
b4881a59d74b3cf79d3b137b9463eed5d1fe618a03cd50a27b07e237f371a41f
20b49c0ad729a35bc8dfce10bacda3083fe559309f87b4b91df6f5f17ecb0365
c22665c773d8bbc0b80479855c0c66211d3512b397fcfd2ba42b17bf1febbbf1
53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a
2a04208e8c8aaaf817cd501fbd33c25fee503d5718db169c2f7c8acac68e54bf
0e252c0d6caed04398b0d93b99fb698177dfa8f47706d019281a299c7344b4f2
83f08985cb0b16f7003bf3a71819cba4bb5bf53cfe0a4bdb4fec5131d46ba6f5
5fd6a9888f438acb32c7167edf14d09fc205cb12111121fd1a7c27d793d96e43
f8c306717404e547eb3b33ac8b4c50ea9dd828e72dbd661e36608c82f4a1dc7b
026c3a6ca8d97570ffb364d55e656d213a00b674dcc79fc5b9e67b267db39a21
e33165272a98374486916aac8ee23e881301a54aca5218ba1b4943917a8ca0be
1490af5dc5fa09c66d8d075885415f567ed0ce5588cec94eacc423135c494347
7fb1ef9b5fbdebbbb313c2e0b4fa26ed3eb4131eb31d95a065613cf0ae7abf1c
c6eded88237526dd547c1d9aa1bc08563bb478ea3a1012432a6c450ab0546177
83eaedff3f924be2f353caf7b6139959fbfcd4d0a0e853f355f1b099f5962dca
d845a27df63f11be5747a75554d5c3d16ec3a5fea9004a5821411760a4ca78fe
295cb7d68d38d06bc0218c99e5f4a8436637c356606c5e83f763a1a777a4c842
276a55013af5996b82cf0a2534987adc19c8ce9b0277d5fc3e5bc8e90aab8545
016c33b4df7b68f1d57a24a2137f199cd6a59f417c8dc49210e7a552d9b01936
160e27a3657f4f3be7bc08d8d9012a59aa616fa57cec4b0a85895329026ace97
bd113ea6d2915f0ee3546ab75ff3e0ae60e120365a2fbaaf42ffd3909a175db4
f693ee5261989061cb7e219d22b6cd549c30889acc0e527513ca6495255deddc
237d4d3519c19e499ccf9becf595b3d74635a95ce50e28d464d15500e8558586
21f1b99116e1894e2a15ca5f429d36cdbd558190a1686e17ac3f0d7142cfc151
6039aa551a78430376f281fe1dbd47f6823ee3f0547a726cddfe99b488a4b549
002a1fb348c592c6464f6f5a2a7a47a0e097733da8e9ae1aa939e86bd0fc75a2
a2008f02a0367b03c1aab6b53fd5e65356e76b553f9d36e9c64477448883ebd3
ce6102a9f4d29bf39d2667c4f81a0d4c735df47eeaca2c01e5294ec9a0b26e94
6ce384777feb1be07abaa5d2ce88fb2b5841d036118c01e00e4e375f06580a33
SH256 hash:
185cafa5d4b8a00fb7ebd50d49dc2963d08ebe6d04e5a79caf55a80b5a8a4d0e
MD5 hash:
52707629b1ead494f0831c36460611a9
SHA1 hash:
facd6b2954b0dcb8705618ac986d3dda014968a0
Detections:
Sality_Malware_Oct16
INDICATOR_EXE_Packed_SimplePolyEngine
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_EXE_Packed_SimplePolyEngine |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser |
|---|---|
| Author: | malware-lu |
| Rule name: | UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser |
|---|---|
| Author: | malware-lu |
| Rule name: | upx_largefile |
|---|---|
| Author: | k3nr9 |
| Rule name: | Windows_Generic_MalCert_65514fe0 |
|---|---|
| Author: | Elastic Security |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_TRUST_INFO | Requires Elevated Execution (level:requireAdministrator) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::SetFileSecurityW |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW |
| WIN_BASE_USER_API | Retrieves Account Information | ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.