Extracted

• • Target

    6a60a1967fd505729c77b257d46e311b31bfb52a7ffcd194bff9aa005405902a.exe

  • Size

    65KB

  • MD5

    33806870496c845bdf003bf8246a492c

  • SHA1

    237578f9a65edada6828103fc76f03c952d7ad3c

  • SHA256

    6a60a1967fd505729c77b257d46e311b31bfb52a7ffcd194bff9aa005405902a

  • SHA512

    1b63b0155f0dda2c6c917e4bcaa3f6525c2fbebd195c15a03db0d403113c85f34ef0b54168c05c1463b84ac5d77ccee4c32b7fa7ec1f1c4fc6a780fb7faa21eb

  • SSDEEP

    1536:Zqk7u1V/IngoaYHqUoSxaPyktcQ3y1oo3uIZUs58CKyWG/SMXRT:Zq8AI0ZJNK/eICZyWG/VXRT

  Score

  10^/10

  salitybackdoorbootkitdefense_evasiondiscoverypersistencetrojanupx

  • Modifies firewall policy service

    defense_evasion

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • Sality family

    sality

  • UAC bypass

    defense_evasiontrojan

  • Windows security bypass

    defense_evasiontrojan

  • Downloads MZ/PE file

  • Uses Session Manager for persistence

    Creates Session Manager registry key to run executable early in system boot.

    persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    defense_evasiontrojan

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1