MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f06923df64f4469c0a048b8ad95584d2c5d79c3ad265a73b334eac3b61d5f95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f06923df64f4469c0a048b8ad95584d2c5d79c3ad265a73b334eac3b61d5f95
SHA3-384 hash: fb8339a173e8019eec5e0e690b7e74bdf4bacb282dffb78c80ca219057faf3527fcfe0ad1bea9ad631a1e4620c9bd25b
SHA1 hash: 3cf4da37ab6f1ae03846243fc36c307284ebfcdc
MD5 hash: 173dee2c11bf84d575caf80cea5d1218
humanhash: illinois-rugby-jersey-south
File name:173dee2c11bf84d575caf80cea5d1218.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:22'708'224 bytes
First seen:2025-10-28 06:57:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f776710de15d02f8fdd34319cacae5d9 (1 x CoinMiner, 1 x SalatStealer)
ssdeep 393216:gr3+C/onUPn2NvrLBproHANc+0Rg0AS8U4Sifg+fUcQYt6w3ff4fe:gr3+miUP2NjtugNikbY+fUtw3ff4f
TLSH T1313723C2D9C05BF4C3D3C70AD197138BD7D06596EBAF5A0939C4DC032A82DA71687E6A
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe SalatStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
173dee2c11bf84d575caf80cea5d1218.exe
Verdict:
Malicious activity
Analysis date:
2025-10-28 06:59:28 UTC
Tags:
ms-smartcard stealer salatstealer upx susp-powershell golang
Link:
https://app.any.run/tasks/82209465-74fe-4801-a55c-f074714e9ed7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34387/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690069d15de5ca27075326a9
Tags:
virus
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug obfuscated packed packed stealer unsafe vmprotect
Link:
https://www.filescan.io/uploads/69006a0b3a79800405fa2a53/reports/0c3230cd-2ef6-4d5d-a46d-d20ad93a1004/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5f06923df64f4469c0a048b8ad95584d2c5d79c3ad265a73b334eac3b61d5f95
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-23T20:00:00Z UTC
Last seen:
2025-10-28T08:19:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.Win32.Agent.sb Trojan-Banker.Win32.Agent.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.HashCity.sb Trojan-PSW.Win32.Greedy.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win64.Salat.byn Trojan-PSW.Win32.Coins.sb
Link:
https://opentip.kaspersky.com/5f06923df64f4469c0a048b8ad95584d2c5d79c3ad265a73b334eac3b61d5f95/results?tab=lookup
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802928
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Tries to detect debuggers (CloseHandle check)
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1802928 Sample: xw4jggPXq5.exe Startdate: 28/10/2025 Architecture: WINDOWS Score: 100 37 dns.google 2->37 45 Antivirus detection for URL or domain 2->45 47 Antivirus detection for dropped file 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 4 other signatures 2->51 8 xw4jggPXq5.exe 1 2->8         started        12 ekVUg9Tm9.exe 30 1 2->12         started        14 ekVUg9Tm9.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 35 C:\Users\user\AppData\...\msedge_helper.exe, PE32 8->35 dropped 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->63 65 Tries to evade analysis by execution special instruction (VM detection) 8->65 67 Tries to detect debuggers (CloseHandle check) 8->67 75 2 other signatures 8->75 18 msedge_helper.exe 2 4 8->18         started        69 Found many strings related to Crypto-Wallets (likely being stolen) 12->69 71 Tries to harvest and steal browser information (history, passwords, etc) 12->71 73 Tries to steal Crypto Currency Wallets 12->73 23 powershell.exe 26 12->23         started        signatures6 process7 dnsIp8 39 dns.google 8.8.4.4, 443, 50154, 55392 GOOGLEUS United States 18->39 41 8.8.8.8, 443, 55393, 59140 GOOGLEUS United States 18->41 43 104.21.81.197, 443, 55395, 58767 CLOUDFLARENETUS United States 18->43 31 C:\...\AYDnxq3REKVKg2u.exe, PE32 18->31 dropped 33 C:\Program Files (x86)\...\ekVUg9Tm9.exe, PE32 18->33 dropped 53 Antivirus detection for dropped file 18->53 55 Multi AV Scanner detection for dropped file 18->55 57 Found many strings related to Crypto-Wallets (likely being stolen) 18->57 59 Creates multiple autostart registry keys 18->59 25 AYDnxq3REKVKg2u.exe 18->25         started        61 Loading BitLocker PowerShell Module 23->61 27 WmiPrvSE.exe 2 23->27         started        29 conhost.exe 23->29         started        file9 signatures10 process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5f06923df64f4469c0a048b8ad95584d2c5d79c3ad265a73b334eac3b61d5f95
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/173dee2c11bf84d575caf80cea5d1218
Gathering data
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/5f06923df64f4469c0a048b8ad95584d2c5d79c3ad265a73b334eac3b61d5f95
Threat name:
Win64.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-24 00:41:44 UTC
File Type:
PE+ (Exe)
AV detection:
25 of 36 (69.44%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4djeppwj5cgtqfajc4k3fkyjuwf26odvutfu45tgtvmhnq5l6kq._file
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer credential_access discovery spyware stealer upx
Link:
https://tria.ge/reports/251028-hsbj3avpdt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7e29cf65-2e89-4304-b520-5e758f0e9920
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5f06923df64f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/5f06923df64f4469c0a048b8ad95584d2c5d79c3ad265a73b334eac3b61d5f95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34387/

Comments