Description

• Probable name: Sality
• MD5: 89828eec51d6fe22768c9364dcbb49b9
  
• SHA1: 562c87ba14fc74f230cd8f94b9821752d210a539
  
• SHA256: 6fb2f335669405e9c3b7582b524dac22ebff7e5fe1258f25914d7e0e750ca62e

• Duration: 45 days

• VirusTotal
• HybridAnalysis

• RobotHash

Timeline

Wed Feb 19 20:42:28 CET 2014

started win13, already infected with 89828eec51d6fe22768c9364dcbb49b9

P2P botnet

Urlquery said that: http://urlquery.net/report.php?id=9404817

The url http://www.greenbeach.de/logo.gif?24636=447138 found in this capture was from ET TROJAN W32/Sality Executable Pack Digital Signature ASCII Marker

~Mon Apr 6 8:46:00 CEST 2014

Huge powerdown on Sun 06, at 10am... powering up now.

Analysis

It was cracking Cisco routers web pages!

Sality Botnet, as detected by https://www.virustotal.com/en/file/6fb2f335669405e9c3b7582b524dac22ebff7e5fe1258f25914d7e0e750ca62e/analysis/1400250260/

It uses P2P and "super peers"