sality

General

Target

bl4ke.exe
Size

469KB
Sample

241228-ddq9ravnfr
MD5

5d9e7031a5d7498bf610633a3d0f6981
SHA1

f11cd03ef06dd53e1cef1ff15693efc919030ac3
SHA256

e056b9ff0256dd40dac919efe92006ee49a3f50d222ab17e755c7dcdbc34a4fc
SHA512

0d846e552d8f2f344257bd6e65e4f3fbfc5d41d90892c9d19af3abe4dc4074a3c73e6802269800fdaaa90a0b0deb78bad40f0c1b75a34a6c840144f316945975
SSDEEP

6144:igQ9ahMwdrlDDX3RtZL7bieYMy4rZEqwpgJCNXFhHcuci:igQsMkrl5t0jINggJMFOuci

Score

10^/10

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\YOUR_FILES_ARE_FUCKED.HTA

Ransom Note

ALL COMPUTER DATA ENCRYPTED! 00:00:00 TIME AFTER ALL FILES WILL BE DELETED YOUR ID CC50539B88A0A18DB0C83C7C2609D4FD NOW YOU NEED TO PAY TO RECOVER YOUR DATA AFTER MONEY TRANSFER YOU WILL RECIEVE THE DECRYPTOR CONTACTS TELEGRAM @comodosecurity EMAIL [email protected] Any attempts to return your files with the third-party tools can be fatal for your encrypted files! The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files! There are several plain steps to restore your files but if you do not follow them we will not be able to help you!

Emails

[email protected]

Targets

- Target
  
  bl4ke.exe
- Size
  
  469KB
- MD5
  
  5d9e7031a5d7498bf610633a3d0f6981
- SHA1
  
  f11cd03ef06dd53e1cef1ff15693efc919030ac3
- SHA256
  
  e056b9ff0256dd40dac919efe92006ee49a3f50d222ab17e755c7dcdbc34a4fc
- SHA512
  
  0d846e552d8f2f344257bd6e65e4f3fbfc5d41d90892c9d19af3abe4dc4074a3c73e6802269800fdaaa90a0b0deb78bad40f0c1b75a34a6c840144f316945975
- SSDEEP
  
  6144:igQ9ahMwdrlDDX3RtZL7bieYMy4rZEqwpgJCNXFhHcuci:igQsMkrl5t0jINggJMFOuci
Score

10^/10

sality backdoor defense_evasion discovery evasion ransomware trojan upx
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- Sality family
  sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1