MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Sality

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248
SHA3-384 hash:	74d61508aa74c38933bf9633ee65a913dbe6a697de9e72920ae7b8efd13c845f65c62c4b1507987e4170e9a09b8dfda8
SHA1 hash:	c72d42b1a3c9782391b1a378c6cb69cbe780b759
MD5 hash:	485b03863fec97cbe194626f536bf19a
humanhash:	black-friend-georgia-stairway
File name:	48029D524B58B030CBE0E7DFED75A17AAB0F68A316B26BF3F99F59A3F94CB248.exe
Download:	download sample
Signature	Sality Create hunting rule
File size:	103'143 bytes
First seen:	2024-07-24 13:48:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	14610dd0ebbc796a9a3a2ba2cdd24e79 (10 x Sality)
ssdeep	1536:3mTtpPbQKYPDWyx+Bvy6/JHBbcH+Dszyhl4q95KfubezDKVHUEVOn2br/EwOB0uA:38t6Ka6y+yGJhIeDuq9M3z7nE/zm93i
Threatray	12 similar samples on MalwareBazaar
TLSH	T128A31246645CE52BD71A10F309BE3228DFB49A9E46BB5BEE34BE00ABC05FC57251043E
Reporter	Anonymous
Tags:	exe Sality

Anonymous

this malware sample is very nasty!

Intelligence

File Origin

# of uploads :

# of downloads :

326

Origin country :

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Agent-36126

Win.Virus.Sality-1067

Win.Virus.Sality-6840657-0

Win.Trojan.Sality-5744854-0

Win.Virus.Sality-5901570-1

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66a10651cb3d02fa0e492c9b

Tags:

Encryption Generic Spreading Stealth Sality

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Launching a process

Creating a file

Changing a file

Changing an executable file

Creating a file in the %temp% directory

Enabling the 'hidden' option for recently created files

Blocking the Windows Security Center notifications

Blocking the User Account Control

Firewall traversal

Unauthorized injection to a system process

Creating a file in the mass storage device

Enabling a "Do not show hidden files" option

Enabling autorun with system ini files

Unauthorized injection to a browser process

Infecting executable files

Enabling threat expansion on mass storage devices

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lordpe obfuscated overlay packed packed sality

Link:

https://www.filescan.io/uploads/66a106559149fd55f98fe419/reports/3b857772-5f4e-4105-9c99-9fc53baa3606/overview

Verdict:

Malicious

Labled as:

Virus.Sality

Link:

https://www.hybrid-analysis.com/sample/48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

ChromePolish

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/92609148-80ed-4d71-b85b-4ef22db30ec9

Result

Threat name:

Sality

Detection:

malicious

Classification:

spre.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1480191

Signature

AI detected suspicious sample

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to inject threads in other processes

Deletes keys which are related to windows safe boot (disables safe mode boot)

Disables UAC (registry)

Disables user account control notifications

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May modify the system service descriptor table (often done to hook functions)

Modifies the windows firewall

Modifies the windows firewall notifications settings

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Writes to foreign memory regions

Yara detected Sality

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248/

Threat name:

Win32.Virus.Sality

Status:

Malicious

First seen:

2024-07-07 06:49:33 UTC

File Type:

PE (Exe)

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jabj2usllcydbs7a47p625nbpkvq62fdc2zgx47zt5m2h6kmwjea._file

Verdict:

malicious

Sality

181695ba0cdd4904f94b59450af4022fb811da81f386dca90d439f7c66566c0b

Sality

775939b8bf22ee4999cebd8d9e1525ca9417464b5fe6ed1778f0a7b43d07d6ef

Sality

ecbc34e6b5739a37dc046dfecf8e067eff30b4d1a4bf7531147286fbb45e1be5

Sality

+ 2 additional samples on MalwareBazaar

Result

Malware family:

sality

Score:

10/10

Tags:

family:sality backdoor discovery evasion trojan upx

Link:

https://tria.ge/reports/240724-q4nyjasaph/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops autorun.inf file

Checks whether UAC is enabled

Enumerates connected drives

UPX packed file

Windows security modification

Modifies firewall policy service

Sality

UAC bypass

Windows security bypass

Malware Config

C2 Extraction:

http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f6198820-9969-4255-895e-13e35e7675fd

Unpacked files

SH256 hash:

2e4e816f5839e007149a8987d871776a64b5eeea9a3df7f71b0db12b9ed8d517

MD5 hash:

57cde8ddd4261277272a6151855f8966

SHA1 hash:

9afc39cfad97a3ce12949b65c05f438025fdbac2

Detections:

sality

win_sality_g0

win_sality_auto

INDICATOR_EXE_Packed_SimplePolyEngine

Sality_Malware_Oct16

Link:

https://www.unpac.me/results/2271d2fe-e734-4f14-8453-a15cbf8ca30d/

Parent samples :

bdb1b6c2151038f1023b551d26ef4eab2d5321066d3352d5357b8bee301b67b0
d69e20f3df6a35c1e51faef8fca17243fbee2c86d085aaeca466041af0d52c95
4ee41060b8f1c5679b10bebb8378f353ea62eb38ab27f041e3727dd8cb06b19d
f3dda8f48606c448d22a7b407f61757605acc028d3deddd0ad8c1e2742efcf86
39a77ef363317beea8cad0c8dfe80791ee12647f61396cbfa0128b73113bab8d
1a01e198f114dda369db7002b3ab6689c015405ed3837b458eb914eb48b0be45
537b10cf8e13513c59002c768458b911fb39b95a9d5d7cf28455577b26f86af3
eb88869b7f1bc3f33bb3cd56d6cf4d81fbb0beb590cb9678cc1acf3206f3056f
11df6b403ee5a2e308eff2382fe7ec896a087d14bbee47ed8a02c0a4d940bccf
40f6ef54f565857eedc2823d556b6e48f446526b2f8e490f473d79c5b8534849
50d803405e13a8749bbbc53185cc4e3d104ab2dd1d85e3c4c375a95697908ba1
48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248
db7d41592820a1b25476bdc4abcde914f4be174429866e26af9aed84a71f10e3
a4ef531f35ec95d7ea3310eb9a2ded322d2cdbf57eabe96aa491b8202a420c24
69735cd8499cfbf56dab45602c168d9ce3bec18f106935f17b311c0b17e5ec37
497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
aae8a9852809300d5ee4f5a8031f42f660dff3e427aef081d9aeabb2dca84058
30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad

SH256 hash:

d34b4e7472d1df3603be48d10c4a267281bc3d39ea64c424de408f0876a3035a

MD5 hash:

31de33a273cf87952e94d3534335a9b1

SHA1 hash:

4df636d4de33d549a3a6e27ca75e8eb60e77c77a

Link:

https://www.unpac.me/results/2271d2fe-e734-4f14-8453-a15cbf8ca30d/

SH256 hash:

79b413acf5cd1bcef3499d8088e8d55b3ea4b0772699e0b9cbd936d556bc69ef

MD5 hash:

1c95d9be7a2b12289e10163f4c76ef13

SHA1 hash:

8352c983f75b7a1289e5298b745757b9a8449c96

Detections:

win_sality_auto

Sality_Malware_Oct16

Link:

https://www.unpac.me/results/2271d2fe-e734-4f14-8453-a15cbf8ca30d/

SH256 hash:

48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248

MD5 hash:

485b03863fec97cbe194626f536bf19a

SHA1 hash:

c72d42b1a3c9782391b1a378c6cb69cbe780b759

Detections:

Sality_Malware_Oct16

Link:

https://www.unpac.me/results/2271d2fe-e734-4f14-8453-a15cbf8ca30d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/48029d524b58/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SimplePolyEngine Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	Sality_Malware_Oct16 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an unspecififed malware - October 2016
Reference:	Internal Research

Rule name:	Sality_Malware_Oct16_RID2E9B Create hunting rule
Author:	Florian Roth
Description:	Detects an unspecififed malware - October 2016
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Sality

exe 48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248

(this sample)

Link

https://bbs.kafan.cn/forum-31-1.html

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample