MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 659f26b02937b33a8cfaee03ef2a1d9d4a5818580540d1b3ceafe3cd2df34fdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Sality

Vendor detections: 16

Intelligence 16 IOCs YARA 7 File information Comments

SHA256 hash:	659f26b02937b33a8cfaee03ef2a1d9d4a5818580540d1b3ceafe3cd2df34fdd
SHA3-384 hash:	7e47e3a9668536ca750302a17b80b5b4054b8ee3f79735250f1dbdba1f2595f19dd19457c8a176fccbbc5215b3319942
SHA1 hash:	e288c550593e30393860ed6a4a585f128fb17670
MD5 hash:	1c89918ebced02947e27d6acc591899f
humanhash:	xray-thirteen-lake-alaska
File name:	659f26b02937b33a8cfaee03ef2a1d9d4a5818580540d1b3ceafe3cd2df34fdd.exe
Download:	download sample
Signature	Sality Create hunting rule
File size:	130'787 bytes
First seen:	2025-05-08 18:10:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	14610dd0ebbc796a9a3a2ba2cdd24e79 (11 x Sality)
ssdeep	3072:ZtE4+0yvrW+nVhUgDcDkuZqMvy+h5Wu50cZ:rEH0BI69DkuZqMvNhou50
Threatray	65 similar samples on MalwareBazaar
TLSH	T105D302B45EC049B0D748B3BE74A07CB93ECC54FDDEC9CBA9AA44107114328A5EC6A862
Magika	pebin
Reporter	Anonymous
Tags:	exe Sality

Intelligence

File Origin

# of uploads :

# of downloads :

499

Origin country :

Vendor Threat Intelligence

Malware family:

sality

ID:

File name:

659f26b02937b33a8cfaee03ef2a1d9d4a5818580540d1b3ceafe3cd2df34fdd.exe

Verdict:

Malicious activity

Analysis date:

2025-05-08 18:37:32 UTC

Tags:

sality sainbox rat upx

Link:

https://app.any.run/tasks/1a90d66d-ce45-4982-880e-5615a271b3bc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Dropper.Cloud-9952218-0

Win.Virus.Sality-5901570-1

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681cf44791991ead82b6490c

Tags:

autorun sality emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Searching for synchronization primitives

Creating a window

Launching a process

Changing an executable file

Modifying an executable file

Creating a file in the %temp% directory

Enabling the 'hidden' option for recently created files

Blocking a possibility to launch for the Windows Task Manager (taskmgr)

Blocking a possibility to launch for the Windows registry editor (regedit.exe)

Blocking the Windows Security Center notifications

Blocking the User Account Control

Firewall traversal

Unauthorized injection to a system process

Creating a file in the mass storage device

Enabling a "Do not show hidden files" option

Enabling autorun with system ini files

Unauthorized injection to a browser process

Infecting executable files

Enabling threat expansion on mass storage devices

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lordpe obfuscated overlay overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/681cf3c10b64e174c41e4977/reports/552344de-1427-438c-bf49-ea2c02ce4c32/overview

Verdict:

Malicious

Labled as:

Virus.Sality

Link:

https://www.hybrid-analysis.com/sample/659f26b02937b33a8cfaee03ef2a1d9d4a5818580540d1b3ceafe3cd2df34fdd

Malware family:

Sality

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1b9fe0f8-3e38-4097-bf2a-fce587485a29

Result

Threat name:

Sality

Detection:

malicious

Classification:

spre.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1684758

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Deletes keys which are related to windows safe boot (disables safe mode boot)

Disable Task Manager(disabletaskmgr)

Disables the Windows registry editor (regedit)

Disables the Windows task manager (taskmgr)

Disables UAC (registry)

Disables user account control notifications

Found evasive API chain (may stop execution after checking mutex)

Malicious sample detected (through community Yara rule)

May modify the system service descriptor table (often done to hook functions)

Modifies the windows firewall

Modifies the windows firewall notifications settings

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Writes to foreign memory regions

Yara detected Sality

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/659f26b02937b33a8cfaee03ef2a1d9d4a5818580540d1b3ceafe3cd2df34fdd/

Threat name:

Win32.Virus.Sality

Status:

Malicious

First seen:

2025-05-08 15:30:56 UTC

File Type:

PE (Exe)

AV detection:

36 of 37 (97.30%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mwpsnmbjg6ztvdh25yb66kq5tvffqgcyavandm6ov7r42lptj7oq._file

Verdict:

malicious

Label(s):

sality

Sality

49829d913ad9361f4234eb5d45bd40ed6d657465263aa205cc44c0fbd27f7425

Sality

90934adf962acb5497745d1e90b0cbda9c7773f7b915098b86ff3049adff09c4

Sality

b035c0d4a9bcaf0291c28662da3efdbb43296bbff24e96a0252a95998d91c972

Sality

error

Sality

f183afdbd9102f8f73a6194e3e5124314f4e77bfc9a2463ade664042550e6d36

Sality

f609e2189e6d2b9ffe53876d6a157717522d9765ad311485e18f77d60935423f

Sality

+ 55 additional samples on MalwareBazaar

Result

Malware family:

sality

Score:

10/10

Tags:

family:sality backdoor defense_evasion discovery trojan upx

Link:

https://tria.ge/reports/250508-wspzcahn2y/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops autorun.inf file

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Windows security modification

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Modifies firewall policy service

Sality

Sality family

UAC bypass

Windows security bypass

Malware Config

C2 Extraction:

http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/

Verdict:

Malicious

Tags:

Win.Dropper.Cloud-9952218-0

YARA:

n/a

Link:

https://app.threat.zone/submission/f0e1fe60-3857-4fbe-96c1-2f3ebf6e7342

Unpacked files

SH256 hash:

659f26b02937b33a8cfaee03ef2a1d9d4a5818580540d1b3ceafe3cd2df34fdd

MD5 hash:

1c89918ebced02947e27d6acc591899f

SHA1 hash:

e288c550593e30393860ed6a4a585f128fb17670

Link:

https://www.unpac.me/results/ec367fa0-3d26-4848-8594-d56525a87113/

SH256 hash:

6728bc74aae1094cc88f44364659f2677f402ad0a5083a5e9f0694ed16727e4b

MD5 hash:

d4560ddea43f9f8b23a303653cc2282d

SHA1 hash:

cf1e64f731768db1fe5adc1f959aff204fd015b5

Link:

https://www.unpac.me/results/ec367fa0-3d26-4848-8594-d56525a87113/

SH256 hash:

d34b4e7472d1df3603be48d10c4a267281bc3d39ea64c424de408f0876a3035a

MD5 hash:

31de33a273cf87952e94d3534335a9b1

SHA1 hash:

4df636d4de33d549a3a6e27ca75e8eb60e77c77a

Link:

https://www.unpac.me/results/ec367fa0-3d26-4848-8594-d56525a87113/

SH256 hash:

8ec28b718336a05245f2138cbcc4fea8e45f698a40bfc6fd79162adf67333e8b

MD5 hash:

dd09ad8e04a5595e859234824b326894

SHA1 hash:

b6b7fe689a9d30d884d8fa96d2969fdc195d2869

Detections:

win_sality_auto

win_sality_g0

sality

Sality_Malware_Oct16

INDICATOR_EXE_Packed_SimplePolyEngine

Link:

https://www.unpac.me/results/ec367fa0-3d26-4848-8594-d56525a87113/

Parent samples :

513c36f4a21c7ebf125fe36b98fb2c065898b9f543a6e8dbbf3f9a041c5b86fa
25cccd07f6b6e3a314f78830308864675c5c18ee42a69db5cacdceb0b754acb4
659f26b02937b33a8cfaee03ef2a1d9d4a5818580540d1b3ceafe3cd2df34fdd
e21addfbc364c309bf5408cd977d44a6d683f9f4997c4154fbbc56e6dc54a162
5b6430e115eb28e10d4e38f3cf311fd9fd39b358ab0dcd6d7ff49bf9d01dab3a

SH256 hash:

ff7db9c1a2a875efb3b3a6f6f58734a4dce0ac3cdc4c5fd9030cb4d538540800

MD5 hash:

b968a4c7d4e906bd6704d8cc1786230e

SHA1 hash:

19768ffa7be9e3fbbc868332eec6523ff9722b60

Detections:

Sality_Malware_Oct16

INDICATOR_EXE_Packed_SimplePolyEngine

Link:

https://www.unpac.me/results/ec367fa0-3d26-4848-8594-d56525a87113/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/659f26b02937/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/659f26b02937b33a8cfaee03ef2a1d9d4a5818580540d1b3ceafe3cd2df34fdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SimplePolyEngine Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample