MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39a77ef363317beea8cad0c8dfe80791ee12647f61396cbfa0128b73113bab8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Sality

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	39a77ef363317beea8cad0c8dfe80791ee12647f61396cbfa0128b73113bab8d
SHA3-384 hash:	c1879133315a3957c508753bb156a940cdc351298e572694ab74cc76eeb113e7f22c1663e4cb025b2b72aa53b8e26675
SHA1 hash:	08d3fde9daa0f0c9d9e924110c9d559486c8b6dc
MD5 hash:	e52f3372030bb435777d88a709187eea
humanhash:	steak-tennessee-juliet-fish
File name:	e52f3372030bb435777d88a709187eea.exe
Download:	download sample
Signature	Sality Create hunting rule
File size:	4'158'265 bytes
First seen:	2021-07-28 18:01:59 UTC
Last seen:	2021-07-28 18:57:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bf33765b3ad3b105c0b29bcf6093d0c2 (6 x Sality)
ssdeep	98304:Xa7k1snEi5p/FPjYuhLTTGgWR8D6yV9xKsTqvGljc7q0YsILgbcyTk/L2fSMaV/:K7k1cL5p/FkQTTGFm1V9xKqp0ALSk/qI
Threatray	24 similar samples on MalwareBazaar
TLSH	T10B1633F4A5D0833BF7B4B23988B6BD304F560B16208B2F69E27D292E540B0B7E755457
dhash icon	c8949ccde6a81ec6 (5 x Sality, 1 x Vjw0rm)
Reporter	abuse_ch
Tags:	exe Sality

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/174761/

Detection(s):

SecuriteInfo.com.Win32.Sector.30.30234.21125.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/daa0a921-3de5-4a05-bd8e-a2f33faffedc

Result

Threat name:

Sality

Detection:

malicious

Classification:

spre.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/823407

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to inject threads in other processes

Deletes keys which are related to windows safe boot (disables safe mode boot)

Disables user account control notifications

Machine Learning detection for dropped file

Machine Learning detection for sample

May modify the system service descriptor table (often done to hook functions)

Modifies the windows firewall

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Writes to foreign memory regions

Yara detected Sality

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Virus.Sality

Status:

Malicious

First seen:

2021-07-28 12:28:23 UTC

AV detection:

41 of 46 (89.13%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hgtx543dgf565kgk2den72ahshxbezd7me4wzp5ackfxgej3vogq._file

Verdict:

malicious

Sality

2f06361e4a81ff059d074de638106e1b9aeba6885819b15391ef25997f537bf1

Sality

4ee41060b8f1c5679b10bebb8378f353ea62eb38ab27f041e3727dd8cb06b19d

Sality

bdb1b6c2151038f1023b551d26ef4eab2d5321066d3352d5357b8bee301b67b0

Sality

d69e20f3df6a35c1e51faef8fca17243fbee2c86d085aaeca466041af0d52c95

Sality

e9f7f68eccbf03a44f620273a1091733166d66d2ec2d64bbb03119300fed543c

Sality

f3dda8f48606c448d22a7b407f61757605acc028d3deddd0ad8c1e2742efcf86

Sality

+ 14 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion trojan upx

Link:

https://tria.ge/reports/210728-jt33z4rtda/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Program crash

Drops file in Windows directory

Checks whether UAC is enabled

Windows security modification

UPX packed file

Modifies firewall policy service

UAC bypass

Windows security bypass

Unpacked files

SH256 hash:

196ad6346be15b82800fb3f9eca2b8400eb7ab7e2c538b61df604c71e851c5e7

MD5 hash:

3e5ea715e324808252d9b6f1af693b45

SHA1 hash:

45377b51e74c6513042063e2a652f5531582e1fc

Link:

https://www.unpac.me/results/c32a75b8-db56-48af-8223-5e9f9db2e4b5/

SH256 hash:

2e4e816f5839e007149a8987d871776a64b5eeea9a3df7f71b0db12b9ed8d517

MD5 hash:

57cde8ddd4261277272a6151855f8966

SHA1 hash:

9afc39cfad97a3ce12949b65c05f438025fdbac2

Detections:

win_sality_auto

Link:

https://www.unpac.me/results/c32a75b8-db56-48af-8223-5e9f9db2e4b5/

Parent samples :

bdb1b6c2151038f1023b551d26ef4eab2d5321066d3352d5357b8bee301b67b0
d69e20f3df6a35c1e51faef8fca17243fbee2c86d085aaeca466041af0d52c95
4ee41060b8f1c5679b10bebb8378f353ea62eb38ab27f041e3727dd8cb06b19d
f3dda8f48606c448d22a7b407f61757605acc028d3deddd0ad8c1e2742efcf86
39a77ef363317beea8cad0c8dfe80791ee12647f61396cbfa0128b73113bab8d
1a01e198f114dda369db7002b3ab6689c015405ed3837b458eb914eb48b0be45
537b10cf8e13513c59002c768458b911fb39b95a9d5d7cf28455577b26f86af3
eb88869b7f1bc3f33bb3cd56d6cf4d81fbb0beb590cb9678cc1acf3206f3056f
11df6b403ee5a2e308eff2382fe7ec896a087d14bbee47ed8a02c0a4d940bccf
40f6ef54f565857eedc2823d556b6e48f446526b2f8e490f473d79c5b8534849
50d803405e13a8749bbbc53185cc4e3d104ab2dd1d85e3c4c375a95697908ba1
48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248
db7d41592820a1b25476bdc4abcde914f4be174429866e26af9aed84a71f10e3
a4ef531f35ec95d7ea3310eb9a2ded322d2cdbf57eabe96aa491b8202a420c24
69735cd8499cfbf56dab45602c168d9ce3bec18f106935f17b311c0b17e5ec37
497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
aae8a9852809300d5ee4f5a8031f42f660dff3e427aef081d9aeabb2dca84058
30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad

SH256 hash:

39a77ef363317beea8cad0c8dfe80791ee12647f61396cbfa0128b73113bab8d

MD5 hash:

e52f3372030bb435777d88a709187eea

SHA1 hash:

08d3fde9daa0f0c9d9e924110c9d559486c8b6dc

Link:

https://www.unpac.me/results/c32a75b8-db56-48af-8223-5e9f9db2e4b5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/39a77ef363317beea8cad0c8dfe80791ee12647f61396cbfa0128b73113bab8d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Sality

exe 39a77ef363317beea8cad0c8dfe80791ee12647f61396cbfa0128b73113bab8d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1054739/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/174761/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample