sality | 9ab29f4e939396b94de9df9bf13fa8bec718457bcbc5ababdf69eac48db88a40

Analysis

max time kernel
166s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 00:26

Target

46493b50f0fe2e9acaecceda4be9124f.exe
Size

314KB
MD5

46493b50f0fe2e9acaecceda4be9124f
SHA1

87d36884fba1befe5f33b45e2750f00a6e400ba4
SHA256

9ab29f4e939396b94de9df9bf13fa8bec718457bcbc5ababdf69eac48db88a40
SHA512

5742b268c1f0e23efcd959a6e7a9af86418e2ec953890bf5bc48cfb188839b903ba1658b9a8681b6a0a0cd4b710493da862d3b359e1bd1146174a643d74e446b
SSDEEP

6144:txA/BD/qHWdl5EFJSsOkuNg051iH6wNTGN9pzuvJgr:txA/Vj5EFElhV5+hBK3zuvir

Score

10^/10

sality backdoor upx

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3352-4-0x00000000021D0000-0x000000000325E000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3352 set thread context of 2704	3352	46493b50f0fe2e9acaecceda4be9124f.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2704	46493b50f0fe2e9acaecceda4be9124f.exe
2704	46493b50f0fe2e9acaecceda4be9124f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 2704	3352	46493b50f0fe2e9acaecceda4be9124f.exe	91
PID 3352 wrote to memory of 2704	3352	46493b50f0fe2e9acaecceda4be9124f.exe	91
PID 3352 wrote to memory of 2704	3352	46493b50f0fe2e9acaecceda4be9124f.exe	91
PID 3352 wrote to memory of 2704	3352	46493b50f0fe2e9acaecceda4be9124f.exe	91
PID 3352 wrote to memory of 2704	3352	46493b50f0fe2e9acaecceda4be9124f.exe	91
PID 3352 wrote to memory of 2704	3352	46493b50f0fe2e9acaecceda4be9124f.exe	91
PID 3352 wrote to memory of 2704	3352	46493b50f0fe2e9acaecceda4be9124f.exe	91
PID 2704 wrote to memory of 3404	2704	46493b50f0fe2e9acaecceda4be9124f.exe	30
PID 2704 wrote to memory of 3404	2704	46493b50f0fe2e9acaecceda4be9124f.exe	30
PID 2704 wrote to memory of 3404	2704	46493b50f0fe2e9acaecceda4be9124f.exe	30
PID 2704 wrote to memory of 3404	2704	46493b50f0fe2e9acaecceda4be9124f.exe	30
PID 2704 wrote to memory of 3404	2704	46493b50f0fe2e9acaecceda4be9124f.exe	30

C:\Users\Admin\AppData\Local\Temp\0E57BCB8_Rar\46493b50f0fe2e9acaecceda4be9124f.exe

Filesize
246KB

MD5
e2f52ebe8885cedcae7e33c9920f8d3d

SHA1
f317e98b755755b1cdfc830ec98642ffbd66e59b

SHA256
ba973c60d0c9440045d8077682ddf295d8286eb98ecb5ced66ac50be111d9ddf

SHA512
d6b2a93c948005b608c92aa2a26877a1d9b3ab4b09cb936a35fd0732b57dd12c5579dc6bbc6beb08ffc437994236a9e5a3c3600ebd368efa57aef6c0ce433de6

Download Submit
memory/2704-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-14-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-13-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/3352-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3352-4-0x00000000021D0000-0x000000000325E000-memory.dmp

Filesize
16.6MB

Download
memory/3352-10-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download