Cuckoo Sandbox

File 5aea66ae3c884bf57af605b401ecf0a4bb3462a30163510f1c6f45f2636ea1b3

Summary
Download Resubmit sample

Size	32.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c8b57323e3514521aea7b89f253be3c3`
SHA1	`3b1d4429f59ed437505c261b1a33ee2c331b71d5`
SHA256	`5aea66ae3c884bf57af605b401ecf0a4bb3462a30163510f1c6f45f2636ea1b3`
SHA512	`f27f07c23e0473b9532314ed07fe057390da7f90e51004efe2c8d8c4d0e0e5a0df6980f4b26ffc9e4041b193902a4982549f99c953836e989fe84e28d05bf410`
CRC32	`868C15A7`
ssdeep	`None`
Yara	Sality_Malware_Oct16 - Detects an unspecififed malware - October 2016

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	March 25, 2025, 5:06 a.m.	March 25, 2025, 5:12 a.m.	371 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-03-24 13:07:53,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpwoh6zt
2025-03-24 13:07:53,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\nAtgPGHWCkpOMOWwKdpDPPG
2025-03-24 13:07:53,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\pwxIZpUkfCQKiGJXKodoziqHBGiOa
2025-03-24 13:07:53,421 [analyzer] DEBUG: Started auxiliary module Curtain
2025-03-24 13:07:53,421 [analyzer] DEBUG: Started auxiliary module DbgView
2025-03-24 13:07:53,937 [analyzer] DEBUG: Started auxiliary module Disguise
2025-03-24 13:07:54,171 [analyzer] DEBUG: Loaded monitor into process with pid 500
2025-03-24 13:07:54,171 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-03-24 13:07:54,171 [analyzer] DEBUG: Started auxiliary module Human
2025-03-24 13:07:54,171 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-03-24 13:07:54,187 [analyzer] DEBUG: Started auxiliary module Reboot
2025-03-24 13:07:54,358 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-03-24 13:07:54,358 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-03-24 13:07:54,358 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-03-24 13:07:54,358 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-03-24 13:07:54,515 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\5aea66ae3c884bf57af605b401ecf0a4bb3462a30163510f1c6f45f2636ea1b3.exe' with arguments '' and pid 2800
2025-03-24 13:07:54,703 [analyzer] DEBUG: Loaded monitor into process with pid 2800
2025-03-24 13:07:55,515 [analyzer] INFO: Process with pid 2800 has terminated
2025-03-24 13:07:55,515 [analyzer] INFO: Process list is empty, terminating analysis.
2025-03-24 13:07:56,765 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-03-24 13:07:56,765 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-03-25 05:06:27,377 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:28,418 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:29,438 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:30,473 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:31,508 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:32,548 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:33,588 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:34,633 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:35,677 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:36,732 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:37,787 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:38,822 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:39,852 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:40,904 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:41,961 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:43,001 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:44,066 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:45,115 [cuckoo.core.scheduler] DEBUG: Task #6152068: no machine available yet
2025-03-25 05:06:46,147 [cuckoo.core.scheduler] INFO: Task #6152068: acquired machine win7x643 (label=win7x643)
2025-03-25 05:06:46,149 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.203 for task #6152068
2025-03-25 05:06:46,598 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1260121 (interface=vboxnet0, host=192.168.168.203)
2025-03-25 05:06:46,677 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x643
2025-03-25 05:06:47,507 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x643 to vmcloak
2025-03-25 05:09:28,098 [cuckoo.core.guest] INFO: Starting analysis #6152068 on guest (id=win7x643, ip=192.168.168.203)
2025-03-25 05:09:29,103 [cuckoo.core.guest] DEBUG: win7x643: not ready yet
2025-03-25 05:09:34,144 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x643, ip=192.168.168.203)
2025-03-25 05:09:34,241 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x643, ip=192.168.168.203, monitor=latest, size=6660546)
2025-03-25 05:09:36,068 [cuckoo.core.resultserver] DEBUG: Task #6152068: live log analysis.log initialized.
2025-03-25 05:09:37,176 [cuckoo.core.resultserver] DEBUG: Task #6152068 is sending a BSON stream
2025-03-25 05:09:37,676 [cuckoo.core.resultserver] DEBUG: Task #6152068 is sending a BSON stream
2025-03-25 05:09:38,537 [cuckoo.core.resultserver] DEBUG: Task #6152068: File upload for 'shots/0001.jpg'
2025-03-25 05:09:38,570 [cuckoo.core.resultserver] DEBUG: Task #6152068 uploaded file length: 133455
2025-03-25 05:09:39,713 [cuckoo.core.resultserver] DEBUG: Task #6152068: File upload for 'curtain/1742818076.64.curtain.log'
2025-03-25 05:09:39,716 [cuckoo.core.resultserver] DEBUG: Task #6152068 uploaded file length: 36
2025-03-25 05:09:39,840 [cuckoo.core.resultserver] DEBUG: Task #6152068: File upload for 'sysmon/1742818076.75.sysmon.xml'
2025-03-25 05:09:39,850 [cuckoo.core.resultserver] DEBUG: Task #6152068 uploaded file length: 204494
2025-03-25 05:09:40,690 [cuckoo.core.resultserver] DEBUG: Task #6152068 had connection reset for <Context for LOG>
2025-03-25 05:09:41,602 [cuckoo.core.guest] INFO: win7x643: analysis completed successfully
2025-03-25 05:09:41,617 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-03-25 05:09:41,654 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-03-25 05:09:42,744 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x643 to path /srv/cuckoo/cwd/storage/analyses/6152068/memory.dmp
2025-03-25 05:09:42,746 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x643
2025-03-25 05:12:38,353 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.203 for task #6152068
2025-03-25 05:12:38,928 [cuckoo.core.scheduler] DEBUG: Released database task #6152068
2025-03-25 05:12:38,949 [cuckoo.core.scheduler] INFO: Task #6152068: analysis procedure completed

Signatures

Yara rule detected for file (1 event)

description

Detects an unspecififed malware - October 2016

rule

Sality_Malware_Oct16

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 24, 2025, 2:07 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x76fe9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x76fe9f45 exception.instruction_r: 00 00 00 00 59 81 c1 cf 01 00 00 51 8d 1d 60 47 exception.symbol: 5aea66ae3c884bf57af605b401ecf0a4bb3462a30163510f1c6f45f2636ea1b3+0x1042 exception.instruction: add byte ptr [eax], al exception.module: 5aea66ae3c884bf57af605b401ecf0a4bb3462a30163510f1c6f45f2636ea1b3.exe exception.exception_code: 0xc0000005 exception.offset: 4162 exception.address: 0x401042 registers.esp: 1638280 registers.edi: 0 registers.eax: 1960653720 registers.ebp: 1638292 registers.edx: 4198464 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0

File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)

G Data Antivirus (Windows)	Virus: Trojan.Dropper.Sality.C (Engine A)
Avast Core Security (Linux)	Win32:Sality-RCX [Drp]
C4S ClamAV (Linux)	Win.Virus.SalStub-1
Trellix (Linux)	W32/Sality.dr virus
WithSecure (Linux)	Trojan.TR/Dropper.Gen
eScan Antivirus (Linux)	Trojan.Dropper.Sality.C(DB)
ESET Security (Windows)	Win32/Sality virus
Sophos Anti-Virus (Linux)	Troj/SalLoad-C
DrWeb Antivirus (Linux)	Trojan.Damaged.3
ClamAV (Linux)	Win.Virus.SalStub-1
Bitdefender Antivirus (Linux)	Trojan.Dropper.Sality.C
Kaspersky Standard (Windows)	HEUR:Packed.Win32.BadCrypt.gen
Emsisoft Commandline Scanner (Windows)	Trojan.Dropper.Sality.C (B)

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.SalDropv3.Worm
Lionic	Hacktool.Win32.Sality.x!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Hello.A1
Skyhigh	BehavesLike.Win32.Sality.nm
ALYac	Trojan.Dropper.Sality.C
Cylance	Unsafe
VIPRE	Trojan.Dropper.Sality.C
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.Dropper.Sality.C
K7GW	Trojan ( 001cddbb1 )
K7AntiVirus	Trojan ( 001cddbb1 )
Arcabit	Trojan.Dropper.Sality.C
Baidu	Win32.Trojan.Sality.p
VirIT	Win32.Sality-Drp.B
Symantec	W32.Sality!dr
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Sality
APEX	Malicious
Avast	Win32:Sality-RCX [Drp]
ClamAV	Win.Virus.SalStub-1
Kaspersky	HEUR:Packed.Win32.BadCrypt.gen
Alibaba	Malware:Win32/km_2a8b77.None
NANO-Antivirus	Heuristic.Win32.CorruptedFile.lcrsv
SUPERAntiSpyware	Trojan.Agent/Gen-FraudPack
MicroWorld-eScan	Trojan.Dropper.Sality.C
Rising	Trojan.Win32.KUKU.a (CLASSIC)
Emsisoft	Trojan.Dropper.Sality.C (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.Damaged.3
McAfeeD	Real Protect-LS!C8B57323E351
Trapmine	malicious.high.ml.score
CTX	exe.trojan.sality
Sophos	Troj/SalLoad-C
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.c8b57323e3514521
Jiangmin	Trojan/Inject.lrc
Webroot	W32.Sality.Gen
Google	Detected
Avira	TR/Dropper.Gen
Antiy-AVL	Virus/Win32.Sality.stub
Kingsoft	Win32.Packed.BadCrypt.gen
Gridinsoft	Ransom.Win32.Wacatac.sa
Xcitium	Win32.Kashu.RA@1ygt6m
Microsoft	Trojan:Win32/Multiverze!rfn
ViRobot	Trojan.Win32.Sality.103140
ZoneAlarm	Troj/SalLoad-C
GData	Trojan.Dropper.Sality.C
Varist	W32/Sality.C.gen!Eldorado

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 5aea66ae3c884bf57af605b401ecf0a4bb3462a30163510f1c6f45f2636ea1b3

Summary Download Resubmit sample

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample