Malware

Win32:Sality-NWC (file analysis)

Malware Removal

The Win32:Sality-NWC is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Win32:Sality-NWC virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Expresses interest in specific running processes
  • CAPE extracted potentially suspicious content
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • The executable is compressed using UPX
  • Authenticode signature is invalid
  • Code injection with CreateRemoteThread in a remote process
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Injection with CreateRemoteThread in a remote process
  • A process attempted to delay the analysis task by a long amount of time.
  • Installs itself for autorun at Windows startup
  • Operates on local firewall’s policies and settings
  • Attempts to disable UAC
  • Attempts to modify or disable Security Center warnings
  • Anomalous binary characteristics
  • Attempts to modify Explorer settings to prevent hidden files from being displayed

How to determine Win32:Sality-NWC?



File Info:

name: 9D345F3CCCCD92BB495A.mlw
path: /opt/CAPEv2/storage/binaries/e97b59310d95efa8ed0b5de25b0b84885e84847d2a413beb55eece7c3f557460
crc32: D1C04ADC
md5: 9d345f3ccccd92bb495a6f2b64d57a0d
sha1: b801a1a836ae1f61d7932374cb5676b01b810806
sha256: e97b59310d95efa8ed0b5de25b0b84885e84847d2a413beb55eece7c3f557460
sha512: 0c5cad5a8417b58ede02721fb8a0778187c6871a8ecc4a8dbae328ac6c28d2a988448cf40132aba131b6eabfd8abf664a2f2140a51c24f47dbb3ff645a6df26f
ssdeep: 196608:pqNTa+dTEp5bNWsvBaRPE6fDyasUSFSQEKsCrA7SegDGnM/ttLqDxd0sFKCa5:pqs+tEDN3aRP9fsUSFSQfvnDj/cdnFR+
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1DFC68BC3BB04EC68E44364376C1993A016096D9378A5EC1E6DD9BE1F7FB53C26386A43
sha3_384: f94e05d60bc99eb06761d15fab47cbfdff9d43d23a8d98d1e6185303f2fe4fe823ae26f5328e5bd08db39ba0c8d8d7aa
ep_bytes: 6069d94c8f30f903df6848cd5a00550f
timestamp: 1992-06-19 22:22:17


Version Info:

CompanyName: FinalWire Ltd.
FileDescription: AIDA64 Extreme
FileVersion: 6.20.5300
InternalName: AIDA64
LegalCopyright: Copyright (c) 1995-2019 FinalWire Ltd.
OriginalFilename: aida64.exe
ProductName: AIDA64 Extreme
ProductVersion: 6.20
Translation: 0x0409 0x04e4

Win32:Sality-NWC also known as:

BkavW32.Sality.PE
LionicVirus.Win32.Sality.v!c
FireEyeGeneric.mg.9d345f3ccccd92bb
CAT-QuickHealW32.Sality.U
McAfeeW32/Sality.gen.z
CylanceUnsafe
ZillyaVirus.Sality.Win32.25
CrowdStrikewin/malicious_confidence_100% (D)
AlibabaVirus:Win32/Sality.cd1de402
K7GWVirus ( f10001f11 )
K7AntiVirusVirus ( f10001f11 )
BaiduWin32.Virus.Sality.gen
VirITWin32.Sality.BH
CyrenW32/Sality.gen2
SymantecW32.Sality.AE
ESET-NOD32Win32/Sality.NBA
APEXMalicious
AvastWin32:Sality-NWC
KasperskyVirus.Win32.Sality.sil
BitDefenderWin32.Sality.3
NANO-AntivirusVirus.Win32.Sality.yusp
MicroWorld-eScanWin32.Sality.3
TencentVirus.Win32.TuTu.Gen.200004
Ad-AwareWin32.Sality.3
SophosMal/Generic-S + Mal/Sality-D
ComodoVirus.Win32.Sality.gen@1egj5j
DrWebWin32.Sector.30
VIPREVirus.Win32.Sality.at (v)
TrendMicroPE_SALITY.RL
McAfee-GW-EditionW32/Sality.gen.z
EmsisoftWin32.Sality.3 (B)
Paloaltogeneric.ml
GDataWin32.Sality.3
JiangminWin32/HLLP.Kuku.poly2
AviraW32/Sality.AG
Antiy-AVLTrojan/Generic.ASVirus.C4
ArcabitWin32.Sality.3
ViRobotWin32.Sality.Gen.A
ZoneAlarmVirus.Win32.Sality.sil
MicrosoftVirus:Win32/Sality.AT
TACHYONVirus/W32.Sality.D
AhnLab-V3Win32/Kashu.E
BitDefenderThetaAI:FileInfector.A5ECCBAB0E
MAXmalware (ai score=84)
VBA32Virus.Win32.Sality.bakb
MalwarebytesMalware.Heuristic.1003
TrendMicro-HouseCallPE_SALITY.RL
RisingVirus.Sality!1.A5BD (CLOUD)
YandexWin32.Sality.BK
MaxSecureVirus.Sality.BH
FortinetW32/CoinMiner.BH
AVGWin32:Sality-NWC
Cybereasonmalicious.ccccd9
PandaW32/Sality.AA

How to remove Win32:Sality-NWC?

Win32:Sality-NWC removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment