Extracted

• • Target

    63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9

  • Size

    282KB

  • MD5

    4e329b43d4d3d9ae7d34c2c93aa52ba9

  • SHA1

    14347433cb7954222b901c8c18e7d4c040ae7ad0

  • SHA256

    63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9

  • SHA512

    72a92c55be81719693c1f80cc5d8c1716b7ffd210188474594477515b33868fc1eb51359356ce9259dfd8b3f9674516ecad28c305a274e5264579b9d68c9217a

  • SSDEEP

    3072:SObjCPedQsoaRJU7KF+6aLK2IJqi6uS+gkDstXKJVqv8d0JG2wmVVW8wwWjwnCms:SXPEQaNJVYlNsJlsjzdjXYL9

  Score

  10^/10

  salitybackdoorevasionpersistencetrojanupx

  • Modifies firewall policy service

    evasion

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Detects executables containing possible sandbox analysis VM usernames

  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

  • UPX dump on OEP (original entry point)

  • Blocklisted process makes network request

  • Stops running service(s)

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  behavioral1behavioral2