Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Sality

54
Global rank
48 infographic chevron month
Month rank
47
Week rank
0
IOCs

Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.

Botnet
Type
ex-USSR
Origin
1 June, 2003
First seen
8 October, 2025
Last seen

How to analyze Sality with ANY.RUN

Type
ex-USSR
Origin
1 June, 2003
First seen
8 October, 2025
Last seen

IOCs

IP addresses
206.189.61.126
37.230.104.89
84.114.219.90
81.181.64.5
76.104.215.8
81.180.234.176
220.121.134.142
71.95.133.164
72.218.137.25
78.96.105.81
129.74.157.231
62.90.21.54
80.54.102.172
212.12.166.36
201.24.159.221
87.121.209.81
164.125.131.62
77.77.35.67
85.17.167.196
89.230.213.141
Hashes
f70c24e5ba2942c4bd33859404930792dc5337654192c0af7689aeef8aebf8e8
f0b32c2dfb831c84c363248c66b01d761b6e5c850e6ec600bdfdceb0bee54431
9fabd958362f74af939536ec20729ec09aad20a6cf5a9dcfe27a34341af5af46
d3a2a6153127c96002be12ce2a0a6bcbd04cd8673d79b628517da8ac992a5ef9
e6f116c31b8a51302a511497b6124d0537e65236e84087fe76fab8a471c92fc3
86db2b85ee8bafb506518366ffe89ee7cacce765d8803465688973ddd228fe43
2e4e816f5839e007149a8987d871776a64b5eeea9a3df7f71b0db12b9ed8d517
738dac6deb257eac03a7ed258feb364d910f7923e18ab812bf17d2b357f9b9f7
fb4da1ef20652929323378efa865be3f86036fc9e1d836c92d70876ac7f46c8c
c4b2b222a2832d505af895b74b71e26b1722600f2cd49d1a67feb3ec5f339348
2e73cba234ff1f2de0a0ea8c61b002215ed6ac10ec79add2b21fa9862b38aabc
03a0960c334f380443b814bf24182a8db079870bd01eadde4166ce8a13fc0b35
69735cd8499cfbf56dab45602c168d9ce3bec18f106935f17b311c0b17e5ec37
e5111e7bb0dc824512e4e0757a5c8539bbaa61fdfbddbce2638aad9f69b3f1ed
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
81016e47c07e705636c90a8e23777ac56f21bb26f1ce2076e16fe7b84f2160d0
7f48f615f72545c98de06a93d22300b7c6f388a263711a1e8a59df11d75e7cf9
5200002d9786514a3730961cd389e45e1df2af7c901335151eefafed4b10ea58
f43675215a8f73680ee87fdbf3cda2387491036ddd495ad159f9e9b6c39ec849
459f6ac7b14580cfd1df758152189e509114495b3f238114276d6e20e45c2246
Domains
canossadhule.in
proecosystems.com
vasicq.hop.ru
icqchat.vipshop.ru
quoz.com
vancityprinters.com
gatheredovertime.com
vinasonthanh.com
juniorboysown.com
shumbola.vo.uz
ahmediye.net
apple-pie.in
althawry.org
kukutrustnet777888.info
omeroglunakliyat.net
klkjwre9fqwieluoi.info
al-somow.com
bharatisangli.in
brucegarrod.com
padrup.com
URLs
http://pupydeq.com/login.php
http://gahyqah.com/login.php
http://kukutrustnet777.info/home.gif
http://www.ilmesters.edu.pk/image.gif
http://ilmesters.edu.pk/image.gif
http://batata.webzdarma.cz/bottom.gif
http://funwebstrankaaqworlds.wz.cz/image.gif
http://elcisigur.ro/stats/logo.gif
http://ecomgxh.kuwo.cn/EcomGxhServer/st/ruleData
http://ecomgxh.kuwo.cn/EcomGxhServer/st/receiveclient
http://www.aanshuman.com/images/s.jpg
http://maxoregypt.com/images/logof.gif
http://adiyamanlicigkoftecim.com/images/xs.jpg
http://acibademinsaat.com/xs.jpg
http://communityrespondalarm.com/images/logo.gif
http://absurdistan.unas.cz/xs.jpg
http://www.legalbilgisayar.com/img/logo.gif
http://kuplu.bel.tr/images/logo.gif
http://koonadance2.com/images/logo.gif
http://www.ecole-saint-simon.net/index_top/logo.gif
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 177
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 539
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 3749
comments 0

What is Sality malware?

Sality is a file-infecting virus and botnet malware first observed around 2003. It primarily targets Windows systems, infecting executable files (.exe) and spreading rapidly across networks and removable drives.

Over time, it has become highly persistent and adaptive, evading traditional security measures through polymorphism, constantly changing its code to avoid detection.

Similar to other botnet malware like Phorpiex and Mirai, Sality has infected hundreds of thousands of computers globally, creating a massive botnet. The malware operators use this network for various purposes, ranging from relatively "benign" tasks like generating spam to more malicious activities, such as distributing password stealers. In 2011, one of the programs distributed through the Sality botnet focused on stealing web credentials, particularly targeting Facebook and Google Blogger accounts.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Sality malware technical details

The primary functionality of Sality malware includes:

  • Spreads by infecting executable files and removable drives.
  • Uses polymorphic techniques to change its code with every infection, making it harder for antivirus software to detect or create consistent signatures.
  • Creates a P2P botnet for malicious activities like data theft and DDoS attacks.
  • Disables antivirus and firewall protections and uses rootkit techniques to hide its presence on the system.
  • Modifies the infected system’s hosts file to block access to security websites, preventing the user from downloading tools or updates that might detect or remove the virus.
  • Allows attackers to update and control infected systems remotely.

Sality connects infected machines to command and control (C2) servers or other infected systems within its botnet. This allows attackers to issue commands, download additional malware, and update the virus, ensuring it remains persistent and adaptive in its attack methods. Through this botnet, Sality can be used for a wide range of malicious activities, including:

  • Spamming
  • Distributed Denial of Service (DDoS) attacks
  • Data theft
  • Downloading additional malware

The data exchanged between the infected system and C2 servers is often encrypted, making it difficult for security experts to analyze the malware's activities.

Sality malware execution process

To see how Sality operates, let’s upload its sample into the ANY.RUN sandbox.

Once the Sality malware is executed, the stub decrypts and runs a secondary code segment known as the loader. The loader operates in a separate thread within the infected process and is responsible for executing the malware's main payload.

Sality actively targets security software by terminating antivirus-related processes and deleting files critical to system security. It may also modify system settings to reduce security levels and block the execution of security tools.

Sality malware in ANY.RUN Sality malware analyzed in the ANY.RUN sandbox

The malware is capable of stealing sensitive information, such as cached passwords and keystrokes, and can search for email addresses to send spam. It communicates with remote command and control (C2) servers, often utilizing a peer-to-peer (P2P) network to download additional malicious payloads or updates.

Modern Sality variants can form botnets, enabling attackers to control multiple infected machines. The botnets can be used for various malicious activities, including distributed denial-of-service (DDoS) attacks and further malware propagation.

Sality can also download and execute other malware, often through a preconfigured list of peers within its P2P network, allowing it to expand its capabilities and maintain persistence on infected systems.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Sality malware distribution methods

Sality malware employs several distribution methods that allow it to spread widely across networks and systems:

  • File infection: Sality primarily infects executable files (.exe) on infected machines, which helps it spread as these files are shared or transferred across systems.
  • Removable drives: The malware spreads through infected USB drives, external hard drives, and other removable media. When these drives are connected to other machines, Sality automatically infects them.
  • Network shares: It can spread across local networks by infecting shared folders and files, making it highly effective in corporate or organizational environments with multiple connected systems.
  • Peer-to-Peer (P2P) botnet: Sality creates a decentralized botnet, enabling it to communicate with other infected machines, spreading its payload and receiving updates from the attacker.
  • Self-replication: Once inside a system, Sality can modify system files, allowing it to replicate itself and infect more files and applications.

Gathering threat intelligence on Sality malware

To collect up-to-date intelligence on Sality and its latest variants, use Threat Intelligence Lookup. The service helps you search across a vast database of quality threat data sourced from millions of malware analysis sessions conducted in the ANY.RUN sandbox. It lets you use over 40 different search parameters and their combinations, including IPs, domains, command line artifacts, and process names.

Let's use a mutex fragment found in one Sality sample to find more samples. To do this, we'll submit the following query: syncObjectName:".EXEM_"

Sality query in ANY.RUN Sality mutex query in Threat Intelligence Lookup

The service returns one hundred sandbox sessions that we can explore further.

Get a 14-day free trial of Threat Intelligence Lookup along with the ANY.RUN sandbox

Conclusion

Sality’s ability to spread through infected files, disable security software, and form a botnet makes it a potential threat. Its focus on persistence and evading detection highlights the need for strong security measures. To effectively protect against Sality, it's important to use tools like malware sandboxes to thoroughly analyze suspicious files and detect threats early.

ANY.RUN offers a powerful solution, allowing users to safely examine and understand threats like Sality in real-time. By utilizing ANY.RUN, you can quickly detect and neutralize malware before it can cause harm to your systems.

Sign up for a free ANY.RUN account today and start analyzing malware with no limits!

HAVE A LOOK AT

Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
Bert Ransomware screenshot
Bert Ransomware is a newly emerged ransomware group that has been active since April 2025. It deploys variants targeting both Windows and Linux systems, focusing on critical sectors like healthcare, technology, and event services across the US, Asia, and Europe.
Read More
Qilin Ransomware screenshot
Qilin ransomware (predecessor known as “Agenda”) is a rapidly evolving ransomware-as-a-service (RaaS) operation targeting organizations worldwide. Known for double extortion tactics (encrypting files while also threatening to leak stolen data) Qilin has quickly gained notoriety for its customization, flexibility, and impact on critical infrastructure.
Read More
SSLoad screenshot
SSLoad
ssload
SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.
Read More
XRed screenshot
XRed
xred
XRed operates as a stealthy backdoor, enabling cybercriminals to gain unauthorized remote access to infected systems. XRed has gained particular notoriety for its distribution through trojanized legitimate software and hardware drivers, making it exceptionally dangerous due to its ability to masquerade as trusted applications.
Read More