MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a042c945da3a113dfcc4f17621dad96457a14874e55f45e90fcd1c1fb9726953. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Sality

Vendor detections: 16

Intelligence 16 IOCs YARA 7 File information Comments

SHA256 hash:	a042c945da3a113dfcc4f17621dad96457a14874e55f45e90fcd1c1fb9726953
SHA3-384 hash:	d029998d0aa18f5702a66e9e2105b658a39c1aff8a86b7666757e4d3781104c0a9da2eff531cd67997f7f3796f883081
SHA1 hash:	be562d0bbd00b44ba8144c9330fe8911faf8cb48
MD5 hash:	eb2c2c4f6d4a732d1441a5cbef18d155
humanhash:	ohio-wolfram-tennis-december
File name:	VirusShare_53518afe3805b8b43ae97946b65a0d018804c78ecbec76d3dce7967aa87a64a2.exe
Download:	download sample
Signature	Sality Create hunting rule
File size:	1'266'987 bytes
First seen:	2025-03-11 23:43:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dd643fe47127e173d2302c8f84c76bad (1 x Sality)
ssdeep	24576:y7v9ks8niQbnemgYaBrWcN6rIJBvqYlDRjXHZIovcYYbsMz5qZxso5b3a2K:y7YiQbemgY3PrWIGz5ICBlMNezq
Threatray	17 similar samples on MalwareBazaar
TLSH	T193453345E0637FB4FA54213B098D2C0647F8AED5E2BBD3169937B0F304B21A97B5A913
TrID	29.3% (.EXE) UPX compressed Win32 Executable (27066/9/6) 28.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 17.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 7.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
dhash icon	28a2aaf0dcaacc71 (1 x Sality)
Reporter	2huMarisa
Tags:	exe Sality Virus

Intelligence

File Origin

# of uploads :

# of downloads :

532

Origin country :

Vendor Threat Intelligence

Malware family:

sality

ID:

File name:

VirusShare_53518afe3805b8b43ae97946b65a0d018804c78ecbec76d3dce7967aa87a64a2.exe

Verdict:

Malicious activity

Analysis date:

2025-03-11 23:47:46 UTC

Tags:

sality upx

Link:

https://app.any.run/tasks/91796e91-0392-481c-be72-2aacb0b92851

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d0d19c4fd7d3fd0e08640e

Tags:

autorun sality emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

Searching for synchronization primitives

Creating a file

Launching a process

Changing an executable file

Modifying an executable file

Enabling the 'hidden' option for recently created files

Blocking the Windows Security Center notifications

Blocking the User Account Control

Firewall traversal

Unauthorized injection to a system process

Creating a file in the mass storage device

Enabling a "Do not show hidden files" option

Enabling autorun with system ini files

Unauthorized injection to a browser process

Infecting executable files

Enabling threat expansion on mass storage devices

Verdict:

Malicious

Labled as:

Virus.Sality

Link:

https://www.hybrid-analysis.com/sample/a042c945da3a113dfcc4f17621dad96457a14874e55f45e90fcd1c1fb9726953

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Sality

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1f8bfb04-c9ed-4ebf-82f6-3527b257d33a

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1635781

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Creates a thread in another existing process (thread injection)

Deletes keys which are related to windows safe boot (disables safe mode boot)

Disables UAC (registry)

Disables user account control notifications

Found direct / indirect Syscall (likely to bypass EDR)

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Modifies the windows firewall

Modifies the windows firewall notifications settings

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Suricata IDS alerts for network traffic

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Score:

90%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a042c945da3a113dfcc4f17621dad96457a14874e55f45e90fcd1c1fb9726953

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a042c945da3a113dfcc4f17621dad96457a14874e55f45e90fcd1c1fb9726953/

Threat name:

Win32.Virus.Sality

Status:

Malicious

First seen:

2025-03-11 23:44:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

35 of 38 (92.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ubbmsro2hiit37ge6f3cdwwzmrl2csdu4vpul2ipzuob7olsnfjq._file

Verdict:

malicious

Label(s):

sality

Sality

48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248

Sality

497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191

Sality

553fa159e5821f1847188e61ad2656550829d17b04b76eb8a1849a211605c6b2

Sality

69735cd8499cfbf56dab45602c168d9ce3bec18f106935f17b311c0b17e5ec37

Sality

a042c945da3a113dfcc4f17621dad96457a14874e55f45e90fcd1c1fb9726953

Sality

a4ef531f35ec95d7ea3310eb9a2ded322d2cdbf57eabe96aa491b8202a420c24

Sality

error

Sality

+ 7 additional samples on MalwareBazaar

Result

Malware family:

sality

Score:

10/10

Tags:

family:sality backdoor defense_evasion discovery persistence trojan upx

Link:

https://tria.ge/reports/250311-3q7jyayqw4/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

UPX packed file

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Executes dropped EXE

Loads dropped DLL

Windows security modification

Modifies firewall policy service

Sality

Sality family

UAC bypass

Windows security bypass

Malware Config

C2 Extraction:

http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6dc905e3-2c72-43a7-b1fd-ddecbde2a8c6

Unpacked files

SH256 hash:

a042c945da3a113dfcc4f17621dad96457a14874e55f45e90fcd1c1fb9726953

MD5 hash:

eb2c2c4f6d4a732d1441a5cbef18d155

SHA1 hash:

be562d0bbd00b44ba8144c9330fe8911faf8cb48

Link:

https://www.unpac.me/results/4f2978e2-dd1b-41cb-9814-05a696e50a8d/

SH256 hash:

704c4123f9e5b421bfc07cd621b7fb6c83373f76a0a1663f40fc6b4a57b43992

MD5 hash:

c62c6e6611df931df9ee9afda8be6ee5

SHA1 hash:

646e3b6beffee74f31da76f6bc6d605cc536fdba

Link:

https://www.unpac.me/results/4f2978e2-dd1b-41cb-9814-05a696e50a8d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a042c945da3a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a042c945da3a113dfcc4f17621dad96457a14874e55f45e90fcd1c1fb9726953

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SimplePolyEngine Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample