MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Sality


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad
SHA3-384 hash: 4058601b8d59bdade12f77e61e9e438d62e8cb1b88d20690025c369db15e0fea1a0fdd59b71bd6329d64ef35742cba1b
SHA1 hash: e6ae4dd7729fe30104c594d4bc7ee0f15cca4a7f
MD5 hash: 9caa356fa5581b7e8f7d7e64d520223d
humanhash: seven-yellow-table-low
File name:file
Download: download sample
Signature Sality
Create hunting rule
File size:1'023'725 bytes
First seen:2025-08-20 16:13:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ec52b856484588a741da264a7e0bd180 (1 x njrat, 1 x Sality)
ssdeep 24576:5wn0a4mZ4Nj9KRpRoUWmmKKR+Pz3VZcwZ60PX0wS7fLIonJwDl7:5wn7VSNj4fWm/KUPDVZnZfPtEL7c7
Threatray 65 similar samples on MalwareBazaar
TLSH T1E3251242B54081F1F4107532E95D27A79A317C3AAB50A11B63B0BF6D3DF02626E1BF6B
TrID 90.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon b030e09cd8c9d899 (1 x Sality)
Reporter jstrosch
Tags:exe Sality


Avatar
jstrosch
Found at hxxp://192.140.225[.]33/phpMyAdmin/Hallmark.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
meterpreter
Create hunting rule
ID:
1
File name:
2to1ep.bin
Verdict:
Malicious activity
Analysis date:
2025-08-19 01:05:15 UTC
Tags:
auto metasploit framework python possible-phishing xtinyloader loader github stealc stealer meterpreter backdoor payload phishing clickfix miner modiloader redline generic agenttesla koadic xworm rat tinynuke dbatloader coinminer anydesk tool purelogsstealer asyncrat cobaltstrike vidar valley meta quasar njrat pyinstaller remote amadey botnet whitesnakestealer formbook phorpiex ransomware cryptolocker gh0st vipkeylogger keylogger remcos masslogger bruteratel evasion nanocore screenconnect rmm-tool rdp koiloader snake rustystealer bladabindi xred donutloader loki azorult neshta clipper diamotrix lumma dcrat
Link:
https://app.any.run/tasks/3b40835f-7be3-467d-af38-487d996ac260

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22573/
Detection(s):
PUA.Win.Packer.RarSfx-1
Create hunting rule

PUA.Win.Packer.RarSfxModificat-1
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a5f4368fd55a79c5297bae
Tags:
autorun sality emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a file in the %temp% subdirectories
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Delayed reading of the file
Launching a process
Running batch commands
Creating a process from a recently created file
Reading critical registry keys
Connection attempt
DNS request
Launching a service
Blocking the Windows Security Center notifications
Blocking the User Account Control
Firewall traversal
Unauthorized injection to a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Enabling a "Do not show hidden files" option
Enabling autorun with system ini files
Unauthorized injection to a browser process
Verdict:
Malicious
Labled as:
Virus.Sality
Link:
https://www.hybrid-analysis.com/sample/30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d89cdf75-a6f9-4a08-9da5-748f96d67cae
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/9caa356fa5581b7e8f7d7e64d520223d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad/
Verdict:
Malicious
Threat:
Family.SALITY
Link:
https://tip.neiki.dev/file/30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad
Threat name:
Win32.Virus.Sality
Create hunting rule
Status:
Malicious
First seen:
2023-06-14 19:14:44 UTC
File Type:
PE (Exe)
Extracted files:
116
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcusshdxcnaeuvomgaswrh4dawvpgh5zjevfmeuedoapduvkiwwq._file
Verdict:
malicious
Label(s):
sality
Create hunting rule
Similar samples:
20a5c8f44be9a51260851e8096fc9c2e1a8ee8cba17c2afc24f32c9e0fccedaf
Sality
549d80fa4c61034c3ff15994e960755926a0b7b62b77410984128d911665f397
Sality
61b7946140bb0a56dcaa47345a50e533d13699206a862aef224e4cc76506dd6e
Sality
689ad5731f3c1e34aa06da8d053d166fafdb65c3f8e06554bbe9e384e0435538
Sality
79cb57df157c97e8256ef650ea1138fc1340fd4fc37629a5dcfd66cfe54d85e8
Sality
7a78e1a7efed4513d629e7b4d95157fee4f8ecf65e9eaa39bbb109d36164a0bd
Sality
error
Sality
+ 55 additional samples on MalwareBazaar
Result
Malware family:
sality
Create hunting rule
Score:
  10/10
Tags:
family:sality backdoor defense_evasion discovery persistence trojan upx
Link:
https://tria.ge/reports/250820-tpb7zavsa1/
Behaviour
Modifies registry class
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
UPX packed file
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks computer location settings
Executes dropped EXE
Windows security modification
Modifies firewall policy service
Sality
Sality family
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0524f125-e64e-41a0-a563-0d1d4729cc95
Unpacked files
SH256 hash:
30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad
MD5 hash:
9caa356fa5581b7e8f7d7e64d520223d
SHA1 hash:
e6ae4dd7729fe30104c594d4bc7ee0f15cca4a7f
Link:
https://www.unpac.me/results/3e02aad4-5aa1-493c-bd58-29de32727bf3/
SH256 hash:
8a5988566ed33e27c3d14fc5792463fbd65f95130dc13402e82dfeaad90ef28a
MD5 hash:
1f88dd6e5a3182dcf135807d2a5688bd
SHA1 hash:
0808ee512a0ff8c1d29cdae2a464851c5bc56b4e
Link:
https://www.unpac.me/results/3e02aad4-5aa1-493c-bd58-29de32727bf3/
SH256 hash:
e2564af56a2c589b789b800ae0a7db86f797e75fdba6ad9a9d89bd99755cea98
MD5 hash:
39fb209d91bbedfdf549038427b2d61a
SHA1 hash:
4b72ec411b7fb65c914106b4af0a7127389e496a
Detections:
win_sality_auto
Create hunting rule
Link:
https://www.unpac.me/results/3e02aad4-5aa1-493c-bd58-29de32727bf3/
SH256 hash:
601291e7c3deaef5303aaeaae10e69661c66cc477ac496080deffdb4ce097788
MD5 hash:
4e0d9c5250f50efd9a40b08218ce9187
SHA1 hash:
0e6e614d0bb2b19b17406f3d5c0990672957c4ed
Link:
https://www.unpac.me/results/3e02aad4-5aa1-493c-bd58-29de32727bf3/
SH256 hash:
d34b4e7472d1df3603be48d10c4a267281bc3d39ea64c424de408f0876a3035a
MD5 hash:
31de33a273cf87952e94d3534335a9b1
SHA1 hash:
4df636d4de33d549a3a6e27ca75e8eb60e77c77a
Link:
https://www.unpac.me/results/3e02aad4-5aa1-493c-bd58-29de32727bf3/
SH256 hash:
2e4e816f5839e007149a8987d871776a64b5eeea9a3df7f71b0db12b9ed8d517
MD5 hash:
57cde8ddd4261277272a6151855f8966
SHA1 hash:
9afc39cfad97a3ce12949b65c05f438025fdbac2
Detections:
win_sality_auto
Create hunting rule
win_sality_g0
Create hunting rule
sality
Create hunting rule
Sality_Malware_Oct16
Create hunting rule
INDICATOR_EXE_Packed_SimplePolyEngine
Create hunting rule
Link:
https://www.unpac.me/results/3e02aad4-5aa1-493c-bd58-29de32727bf3/
Parent samples :
bdb1b6c2151038f1023b551d26ef4eab2d5321066d3352d5357b8bee301b67b0
d69e20f3df6a35c1e51faef8fca17243fbee2c86d085aaeca466041af0d52c95
4ee41060b8f1c5679b10bebb8378f353ea62eb38ab27f041e3727dd8cb06b19d
f3dda8f48606c448d22a7b407f61757605acc028d3deddd0ad8c1e2742efcf86
39a77ef363317beea8cad0c8dfe80791ee12647f61396cbfa0128b73113bab8d
1a01e198f114dda369db7002b3ab6689c015405ed3837b458eb914eb48b0be45
537b10cf8e13513c59002c768458b911fb39b95a9d5d7cf28455577b26f86af3
eb88869b7f1bc3f33bb3cd56d6cf4d81fbb0beb590cb9678cc1acf3206f3056f
11df6b403ee5a2e308eff2382fe7ec896a087d14bbee47ed8a02c0a4d940bccf
40f6ef54f565857eedc2823d556b6e48f446526b2f8e490f473d79c5b8534849
50d803405e13a8749bbbc53185cc4e3d104ab2dd1d85e3c4c375a95697908ba1
48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248
db7d41592820a1b25476bdc4abcde914f4be174429866e26af9aed84a71f10e3
a4ef531f35ec95d7ea3310eb9a2ded322d2cdbf57eabe96aa491b8202a420c24
69735cd8499cfbf56dab45602c168d9ce3bec18f106935f17b311c0b17e5ec37
497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
aae8a9852809300d5ee4f5a8031f42f660dff3e427aef081d9aeabb2dca84058
30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad
SH256 hash:
b8175bae98cb8de437811a643beada8da3c99cc18275e7407bd21edfe66785ed
MD5 hash:
57fc806263b2163dcce66a168c9a1d46
SHA1 hash:
182295fe70abf96853c08668f95597c910368a8c
Detections:
Sality_Malware_Oct16
Create hunting rule
INDICATOR_EXE_Packed_SimplePolyEngine
Create hunting rule
Link:
https://www.unpac.me/results/3e02aad4-5aa1-493c-bd58-29de32727bf3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_EXE_Packed_SimplePolyEngine
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Sality

Executable exe 30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3561968/
Cape
Cape
https://www.capesandbox.com/analysis/22573/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.DLL::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsOLE32.DLL::CoCreateInstance
OLE32.DLL::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.DLL::AdjustTokenPrivileges
ADVAPI32.DLL::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.DLL::ShellExecuteExA
SHELL32.DLL::SHFileOperationA
SHELL32.DLL::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.DLL::OpenProcessToken
KERNEL32.DLL::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
KERNEL32.DLL::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CreateDirectoryA
KERNEL32.DLL::CreateDirectoryW
KERNEL32.DLL::CreateFileA
KERNEL32.DLL::CreateFileW
KERNEL32.DLL::DeleteFileA
KERNEL32.DLL::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.DLL::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegCreateKeyExA
ADVAPI32.DLL::RegOpenKeyExA
ADVAPI32.DLL::RegQueryValueExA
ADVAPI32.DLL::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.DLL::FindWindowExA
USER32.DLL::PeekMessageA
USER32.DLL::CreateWindowExA

Comments