MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fd6a9888f438acb32c7167edf14d09fc205cb12111121fd1a7c27d793d96e43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Sality

Vendor detections: 18

Intelligence 18 IOCs YARA 8 File information Comments

SHA256 hash:	5fd6a9888f438acb32c7167edf14d09fc205cb12111121fd1a7c27d793d96e43
SHA3-384 hash:	4f8a3685bd6e4a7d694a8ab7e72724b7f4d3a40bb67f16d0cc182480a7528f8ea734ade57a3c33e90616e3bed417c40f
SHA1 hash:	9a382712b127f93dbbb7a7b48d9f67359650f56f
MD5 hash:	8fac6f614efa4bbe8b53f0954058d81e
humanhash:	charlie-bluebird-seven-washington
File name:	Setup (17717).exe
Download:	download sample
Signature	Sality Create hunting rule
File size:	3'012'760 bytes
First seen:	2025-03-16 22:45:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	49152:qrarOtpA+R8BOtUi3qQ/keZVosxvb4OwpnlrEiAQraxOaEAuQOqL6zXY+MBl:qrtA8DJ3oSvMdllrEiAQrNAhLaXIB
TLSH	T1FDD533FEAFB25931E5801070A213F1741173EF56169ACB942DD87F6BB9BF40A4A163C4
TrID	92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10522/11/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
dhash icon	00043005bcd8f939 (1 x Sality)
Reporter	2huMarisa
Tags:	exe Sality Virus

Intelligence

File Origin

# of uploads :

# of downloads :

483

Origin country :

Vendor Threat Intelligence

Malware family:

sality

ID:

File name:

Setup17717.exe

Verdict:

Malicious activity

Analysis date:

2025-03-16 22:52:19 UTC

Tags:

stealer sality sainbox rat

Link:

https://app.any.run/tasks/f8b86fb4-bc24-4849-9ca9-d780eb413bea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d7562108116ce425719889

Tags:

autorun sality emotet madi

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% subdirectories

Creating a file

Reading critical registry keys

Changing a file

Launching a process

Searching for synchronization primitives

Creating a window

Searching for the window

DNS request

Changing an executable file

Modifying an executable file

Enabling the 'hidden' option for recently created files

Blocking the Windows Security Center notifications

Blocking the User Account Control

Firewall traversal

Unauthorized injection to a system process

Creating a file in the mass storage device

Enabling a "Do not show hidden files" option

Enabling autorun with system ini files

Unauthorized injection to a browser process

Infecting executable files

Enabling threat expansion on mass storage devices

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

blackhole installer microsoft_visual_cc overlay

Link:

https://www.filescan.io/uploads/67d754b30a7899f35798926d/reports/fb540ff3-adda-42f2-be58-ee6943f95fd4/overview

Verdict:

Malicious

Labled as:

Virus.Sality

Link:

https://www.hybrid-analysis.com/sample/5fd6a9888f438acb32c7167edf14d09fc205cb12111121fd1a7c27d793d96e43

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Sality

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/752ce17d-0031-4649-b4f3-1e3ab5f40ef5

Result

Threat name:

Sality

Detection:

malicious

Classification:

spre.phis.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1640110

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Creates autorun.inf (USB autostart)

Deletes keys which are related to windows safe boot (disables safe mode boot)

Disables UAC (registry)

Disables user account control notifications

Found direct / indirect Syscall (likely to bypass EDR)

Found stalling execution ending in API Sleep call

Injects code into the Windows Explorer (explorer.exe)

Malicious sample detected (through community Yara rule)

May modify the system service descriptor table (often done to hook functions)

Modifies Internet Explorer zone settings

Modifies the windows firewall

Modifies the windows firewall notifications settings

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected Sality

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5fd6a9888f438acb32c7167edf14d09fc205cb12111121fd1a7c27d793d96e43

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5fd6a9888f438acb32c7167edf14d09fc205cb12111121fd1a7c27d793d96e43/

Threat name:

Win32.Virus.Sality

Status:

Malicious

First seen:

2025-03-16 22:46:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 36 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l7lktcepiofmwmwhcz7n6fgqt7balsysceisd7i2pqt5pe6znzbq._file

Verdict:

malicious

Label(s):

sality

Similar samples:

error

Sality

Result

Malware family:

sality

Score:

10/10

Tags:

family:sality adware backdoor defense_evasion discovery spyware stealer trojan upx

Link:

https://tria.ge/reports/250316-2pypza1zcz/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System policy modification

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

UPX packed file

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Installs/modifies Browser Helper Object

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Modifies firewall policy service

Sality

Sality family

UAC bypass

Windows security bypass

Malware Config

C2 Extraction:

http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1304e1f0-7ca8-49fe-9ce5-df093e307b43

Unpacked files

SH256 hash:

5fd6a9888f438acb32c7167edf14d09fc205cb12111121fd1a7c27d793d96e43

MD5 hash:

8fac6f614efa4bbe8b53f0954058d81e

SHA1 hash:

9a382712b127f93dbbb7a7b48d9f67359650f56f

Link:

https://www.unpac.me/results/7f8cd502-d7cb-4909-9d80-b336ee17aef8/

SH256 hash:

04bb574023e10809d1a22044c7cf1991ef0c58ce480e353deb06c1944e01631b

MD5 hash:

9ee9e086d1c487e458f70599be2b86b6

SHA1 hash:

051e3635277f036a75946a8f6a442271943e13fe

Link:

https://www.unpac.me/results/7f8cd502-d7cb-4909-9d80-b336ee17aef8/

SH256 hash:

a28eeb9bd108563da33c9004f8f8a87517edf9ea8fe7d8d4f99fb0e5692fb001

MD5 hash:

d6bad7d245e7023d92652a975ce3e35f

SHA1 hash:

1728f9592976a5785a464e3be6247e08d04f0c33

Detections:

win_sality_auto

Link:

https://www.unpac.me/results/7f8cd502-d7cb-4909-9d80-b336ee17aef8/

SH256 hash:

bfa110d8abe7069d4d2185c89a20724279dfbe07ec0253d536d80f5797c0bb08

MD5 hash:

3fa4f8e0fa7c1fb191c4c990254ba609

SHA1 hash:

1c106b9b70e8cf2c61059c461923cc90e3b72d22

Link:

https://www.unpac.me/results/7f8cd502-d7cb-4909-9d80-b336ee17aef8/

SH256 hash:

71836696e77efb7a134573ba7b6ff89d54f7c989ea944dbe688484f92c492565

MD5 hash:

bf900b9af363374924092d3094d60b35

SHA1 hash:

64cfb0c6e80a0e39e80f9107fcd06ae5413b76d3

Link:

https://www.unpac.me/results/7f8cd502-d7cb-4909-9d80-b336ee17aef8/

SH256 hash:

b0b2e7a65d91c974e64fa30b53a216028053140e69f756381ede389fdbf3f87e

MD5 hash:

d4ab6c187dee1d219b970155f0099bb2

SHA1 hash:

9ba0421408a52c236e34dc43ca5daf53c78b0960

Link:

https://www.unpac.me/results/7f8cd502-d7cb-4909-9d80-b336ee17aef8/

SH256 hash:

75cae6e6ce9d88075057f8c72f87fb30169cd6f8f2257aa8806d24d61559a66a

MD5 hash:

2ff64a9911db5721202bb23842632caa

SHA1 hash:

e641458562339f98dde83b5a004f9a6db541cbda

Link:

https://www.unpac.me/results/7f8cd502-d7cb-4909-9d80-b336ee17aef8/

SH256 hash:

d34b4e7472d1df3603be48d10c4a267281bc3d39ea64c424de408f0876a3035a

MD5 hash:

31de33a273cf87952e94d3534335a9b1

SHA1 hash:

4df636d4de33d549a3a6e27ca75e8eb60e77c77a

Link:

https://www.unpac.me/results/7f8cd502-d7cb-4909-9d80-b336ee17aef8/

SH256 hash:

12d2ce5214139fec057345d324388637f933c60770f90ac8aacc3290e39e369d

MD5 hash:

e1744118a035f07360c309da3fd6ebe7

SHA1 hash:

c84064bebbf95ed0acb3c0a6a2c3fbc55a4510c0

Detections:

win_sality_auto

win_sality_g0

sality

Sality_Malware_Oct16

INDICATOR_EXE_Packed_SimplePolyEngine

Link:

https://www.unpac.me/results/7f8cd502-d7cb-4909-9d80-b336ee17aef8/

Parent samples :

e9f7f68eccbf03a44f620273a1091733166d66d2ec2d64bbb03119300fed543c
2f06361e4a81ff059d074de638106e1b9aeba6885819b15391ef25997f537bf1
7b23a666b13afaaba8005119e47c2f29f396c08a4d087abd3a0a254d3a6dbbe4
22c96890feb3ba58ca20a314d560e38f419f2eb2629b3c039b32815ec9539916
20ad1e6af5c86cb19ced3387f0a7928d98d5b62537d525d1a63e3ecd4a039bba
15c6840bc9c2de096c1a94d264da4d6d6cd148b7daf1b6399b76133a8a53b9d7
181695ba0cdd4904f94b59450af4022fb811da81f386dca90d439f7c66566c0b
775939b8bf22ee4999cebd8d9e1525ca9417464b5fe6ed1778f0a7b43d07d6ef
ecbc34e6b5739a37dc046dfecf8e067eff30b4d1a4bf7531147286fbb45e1be5
553fa159e5821f1847188e61ad2656550829d17b04b76eb8a1849a211605c6b2
2badff2b4c5f2bd4a0a40b75086a1a4d723ebb5d5d477fb7fdd9ba7a028903c9
14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964
7791f6e183515895b573412d3a79befa3e481e933a887fd4b51f515aad0bab95
c20a675a7c0046fd58a05b88fcd7be276f64dbcd291fb90a1fe92560a250cfd6
1248bf51c48a4325bf5765060d16d36f7d787f283e61513b6fa025d1b37c8b4c
b035c0d4a9bcaf0291c28662da3efdbb43296bbff24e96a0252a95998d91c972
7bb9e21749e29d8db44d7c033bcb5c9bbc7a04586cd0fc2f1091aa444ddd2aae
49829d913ad9361f4234eb5d45bd40ed6d657465263aa205cc44c0fbd27f7425
fe7312adcee75959980e8c85849fb18d24cbb39f0b1bb10ad53cddec70739fa1
f183afdbd9102f8f73a6194e3e5124314f4e77bfc9a2463ade664042550e6d36
9bf323d0fad8d66f4efeec4b03b3dd264c94c87a77c13ebbf1eb44b10a3b94ee
ce958e0fed577192e6d4a5ed1985acfe87e40b7c1527e7d6c93d745edde254a3
6333864c5e234f8622b331f72f2d6976e4cbd236d4ba943a9957d73341cb7db4
93ae1e3a03f14d568f81503cbd408294b7abbf7c252a1653635b40e96400ea2e
59ed81c319e33dcedb4571fa5f1252daa39bf94bd875d39e5cb7a1d9be032ad0
6702fef486a9118c11cbd50a3d920950a3e239332b4e2edc7ae84bd3c8951191
b594e7d2cd6cdaecba9978ca0929ac083d9588cf842c69475e477f442c6de66d
a865db64819d48be0bb2d15ac649b8e38823593aad09dc9af315441cdbcd598b
270496a7295b20141133c2270e6c037c9daf1b34d46dad6ef2bdfeae1dc8f78c
23d764c47d7c9b05bcbc874456bb1ebbc26e726944c2280d16710973953f1961
d4d75b95c87f9c2f5619752e878a6d99b17da4b75d9948f850824e2d0cec35ec
5d67421217598ead7df619e3b9ebc163d55302489c401a2cbe7257f0c3633f17
eae00bf2ce5d6e12a78682a4287d3ea10e4a8acd8db7231388281cff7bf653db
b4881a59d74b3cf79d3b137b9463eed5d1fe618a03cd50a27b07e237f371a41f
20b49c0ad729a35bc8dfce10bacda3083fe559309f87b4b91df6f5f17ecb0365
c22665c773d8bbc0b80479855c0c66211d3512b397fcfd2ba42b17bf1febbbf1
53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a
2a04208e8c8aaaf817cd501fbd33c25fee503d5718db169c2f7c8acac68e54bf
0e252c0d6caed04398b0d93b99fb698177dfa8f47706d019281a299c7344b4f2
83f08985cb0b16f7003bf3a71819cba4bb5bf53cfe0a4bdb4fec5131d46ba6f5
5fd6a9888f438acb32c7167edf14d09fc205cb12111121fd1a7c27d793d96e43
f8c306717404e547eb3b33ac8b4c50ea9dd828e72dbd661e36608c82f4a1dc7b
026c3a6ca8d97570ffb364d55e656d213a00b674dcc79fc5b9e67b267db39a21
e33165272a98374486916aac8ee23e881301a54aca5218ba1b4943917a8ca0be
1490af5dc5fa09c66d8d075885415f567ed0ce5588cec94eacc423135c494347
7fb1ef9b5fbdebbbb313c2e0b4fa26ed3eb4131eb31d95a065613cf0ae7abf1c
c6eded88237526dd547c1d9aa1bc08563bb478ea3a1012432a6c450ab0546177
83eaedff3f924be2f353caf7b6139959fbfcd4d0a0e853f355f1b099f5962dca
d845a27df63f11be5747a75554d5c3d16ec3a5fea9004a5821411760a4ca78fe
295cb7d68d38d06bc0218c99e5f4a8436637c356606c5e83f763a1a777a4c842
276a55013af5996b82cf0a2534987adc19c8ce9b0277d5fc3e5bc8e90aab8545
016c33b4df7b68f1d57a24a2137f199cd6a59f417c8dc49210e7a552d9b01936
160e27a3657f4f3be7bc08d8d9012a59aa616fa57cec4b0a85895329026ace97
bd113ea6d2915f0ee3546ab75ff3e0ae60e120365a2fbaaf42ffd3909a175db4
f693ee5261989061cb7e219d22b6cd549c30889acc0e527513ca6495255deddc
237d4d3519c19e499ccf9becf595b3d74635a95ce50e28d464d15500e8558586
21f1b99116e1894e2a15ca5f429d36cdbd558190a1686e17ac3f0d7142cfc151
6039aa551a78430376f281fe1dbd47f6823ee3f0547a726cddfe99b488a4b549
002a1fb348c592c6464f6f5a2a7a47a0e097733da8e9ae1aa939e86bd0fc75a2
a2008f02a0367b03c1aab6b53fd5e65356e76b553f9d36e9c64477448883ebd3
ce6102a9f4d29bf39d2667c4f81a0d4c735df47eeaca2c01e5294ec9a0b26e94
6ce384777feb1be07abaa5d2ce88fb2b5841d036118c01e00e4e375f06580a33

SH256 hash:

faa2d7c07ad42b3b65207c6f2c133c4526daa5af27dd55bc84f22f21db4a3cf9

MD5 hash:

206682dce556dcb8e52374514e333a4b

SHA1 hash:

cc2e642394cdef1960b3c8a8c59094d9b1febe0c

Detections:

Sality_Malware_Oct16

INDICATOR_EXE_Packed_SimplePolyEngine

Link:

https://www.unpac.me/results/7f8cd502-d7cb-4909-9d80-b336ee17aef8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5fd6a9888f43/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5fd6a9888f438acb32c7167edf14d09fc205cb12111121fd1a7c27d793d96e43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_SliverFox_String Create hunting rule
Author:	huoji
Description:	Detect files is `SliverFox` malware

Rule name:	INDICATOR_EXE_Packed_SimplePolyEngine Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA SHELL32.dll::SHFileOperationA SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExA KERNEL32.dll::GetDiskFreeSpaceA KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileA KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileA KERNEL32.dll::MoveFileA KERNEL32.dll::GetWindowsDirectoryA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::EmptyClipboard USER32.dll::FindWindowExA USER32.dll::OpenClipboard USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample