user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Virus:Win32/Sality.AT
Virus:Win32/Sality.AT - Windows Defender threat signature analysis

Virus:Win32/Sality.AT - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Virus:Win32/Sality.AT
Classification:
Type:Virus
Platform:Win32
Family:Sality
Detection Type:Concrete
Known malware family with identified signatures
Variant:AT
Specific signature variant within the malware family
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Virus - Infects other files for 32-bit Windows platform, family Sality

Summary:

Virus:Win32/Sality.AT is a highly virulent polymorphic file infector that targets Windows executables. It is known for disabling security software, establishing persistence through various mechanisms like scheduled tasks and BITS jobs, and using techniques like hooking and remote services for evasion and broader compromise, including file operations and data encoding.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)
YARA Rule:
rule Virus_Win32_Sality_AT_2147632182_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Virus:Win32/Sality.AT"
        threat_id = "2147632182"
        type = "Virus"
        platform = "Win32: Windows 32-bit platform"
        family = "Sality"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {81 ed 05 10 40 00 8a 9d 73 27 40 00 84 db 74 13 81 c4 ?? ?? ?? ?? 2d ?? ?? ?? ?? 89 85 ?? 12 40 00 eb 19 c7 85 ?? 14 40 00 22 22 22 22 c7 85 ?? 14 40 00 33 33 33 33 e9 ?? ?? 00 00}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: f073b23d47e6147d.exe
f073b23d47e6147dfef23e17170452edc57f09044fe64a872025c40ce6c70d59
22/03/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system to prevent further spread. Perform a full system scan with updated antivirus software, ensuring all detected files are quarantined or removed. Verify system integrity for any disabled security features or unauthorized modifications, and apply all necessary security patches.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 22/03/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$