MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41c999c5885e81dfe6de36a058b6699066b6877402b2075775a3af8eb253f1ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41c999c5885e81dfe6de36a058b6699066b6877402b2075775a3af8eb253f1ad
SHA3-384 hash: cc4feb7dceeb2dd23e016fb393230580947c09e4a393d602f681ce06e1e89a1a4559bf19faf5175c4d57391d4dfe6e55
SHA1 hash: b04573000902a9a7cf6012a29bfee023eba3a0c2
MD5 hash: be2865834e4820a596d6e74b52f11c7d
humanhash: helium-river-seventeen-florida
File name:svchost.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:3'559'936 bytes
First seen:2025-11-23 09:20:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (234 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 98304:3pZalUncocW6cd+Y8a+0h3OvOshLwZOi8jV96AYSHzlnvq3b:MIRjheFLwZyjhHzlyr
TLSH T16AF5338AC8FAAF60D15378BB0914EC61D21F323E03537ACF4D422A9565E95CC393769B
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Hexastrike
Tags:exe SalatStealer UPX
File size (compressed) :3'559'936 bytes
File size (de-compressed) :12'472'832 bytes
Format:win32/pe
Unpacked file: 04ffdc5d148b5a99782ec03566c319d86b0c68f86d1515bf1dd842ad2e9b9ce2

Intelligence

File Origin
# of uploads :
1
# of downloads :
12
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40332/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6922d932140de26f6c2c8e3d
Tags:
stration bitcoin crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Searching for synchronization primitives
Launching a service
Launching a process
Creating a process with a hidden window
Loading a system driver
Creating a file
Connection attempt
Sending a custom TCP request
Modifying a system file
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a window
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm crypto packed packed packed upx
Link:
https://www.filescan.io/uploads/6922d65ceecb08e4aa459c8f/reports/9b7229a8-91f3-4467-a351-939c3271c08c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/41c999c5885e81dfe6de36a058b6699066b6877402b2075775a3af8eb253f1ad
Result
Gathering data
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/41c999c5885e81dfe6de36a058b6699066b6877402b2075775a3af8eb253f1ad
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/be2865834e4820a596d6e74b52f11c7d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41c999c5885e81dfe6de36a058b6699066b6877402b2075775a3af8eb253f1ad/
Threat name:
Win32.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2025-11-21 22:45:39 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iheztrmil2a57zw6g2qfrntjsbtlnb3uakzaov3vuoxy5mst6gwq._file
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer credential_access discovery spyware stealer upx
Link:
https://tria.ge/reports/251123-lnazhsykbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Downloads MZ/PE file
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Unknown
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/00eb6dc0-5f7a-41a9-8519-30326f5e7fd9
Unpacked files
SH256 hash:
41c999c5885e81dfe6de36a058b6699066b6877402b2075775a3af8eb253f1ad
MD5 hash:
be2865834e4820a596d6e74b52f11c7d
SHA1 hash:
b04573000902a9a7cf6012a29bfee023eba3a0c2
Link:
https://www.unpac.me/results/1b9cbc51-70a3-4f83-9d69-86fbbdf8ca7e/
SH256 hash:
cd22f44ef373fd30bf5517e2b0684dae6a111aaa24b38dc03454fb0b35ad1392
MD5 hash:
a243f997ae25e68189a1e4c602e612ce
SHA1 hash:
c6c94885ee457303147b6cbdf373667bdf6d6f59
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/1b9cbc51-70a3-4f83-9d69-86fbbdf8ca7e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/41c999c5885e81dfe6de36a058b6699066b6877402b2075775a3af8eb253f1ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SalatStealer

Executable exe 41c999c5885e81dfe6de36a058b6699066b6877402b2075775a3af8eb253f1ad

(this sample)

SalatStealer

Executable exe 04ffdc5d148b5a99782ec03566c319d86b0c68f86d1515bf1dd842ad2e9b9ce2

  
Dropping
SHA256 04ffdc5d148b5a99782ec03566c319d86b0c68f86d1515bf1dd842ad2e9b9ce2
  
Dropping
MD5 4e189631ce3e378bd9c3da8a0299ff3d
Cape
Cape
https://www.capesandbox.com/analysis/40332/

Comments