MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde
SHA3-384 hash: 2af183099e2f084a2c980007442dba749835849be023b346c8a2339076d5bbbf5f7729c20d9c546d1d654f9ddb006291
SHA1 hash: dce87a06de47fb420a8b19819feb26cbe35c7a5a
MD5 hash: a38e90fe72448ba4c32df2b2d22ce19b
humanhash: vegan-friend-king-twelve
File name:Xeno.bat
Download: download sample
Signature SalatStealer
Create hunting rule
File size:9'044 bytes
First seen:2026-03-21 19:37:27 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 192:7K34jEMBB9EX6Qb3goNDMy71Mccz7dzyrEgb83S:7K34jEMBBmq0wMe/Qrrbt
Threatray 246 similar samples on MalwareBazaar
TLSH T10112567DD9E1FDD0876F23D079DAEAC6209B8A13AE6E2E6CD2C404E10B502559BB914C
Magika batch
Reporter burger
Tags:bat SalatStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Xeno.bat
Verdict:
Malicious activity
Analysis date:
2026-03-21 19:36:56 UTC
Tags:
github loader reverseloader susp-powershell payload salatstealer stealer upx golang
Link:
https://app.any.run/tasks/9fb94ec1-45ea-48fd-ac1a-b1dc1efa68e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58536/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bef357390b996474128c55
Tags:
ransomware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching a service
Loading a system driver
Setting a single autorun event
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 base64 obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/69bef3a9493cb7d62d0b4590/reports/c9fdc615-2b41-459b-94a8-9eeb0925549f/overview
Verdict:
Malicious
Labled as:
BAT/Obfuscated.AZ trojan
Link:
https://www.hybrid-analysis.com/sample/075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde
Verdict:
Malicious
File Type:
unix shell
Detections:
PDM:Trojan.Win32.Generic Trojan-Downloader.PowerShell.NanoShield.sb HEUR:Trojan.BAT.Alien.gen
Link:
https://opentip.kaspersky.com/075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde/results?tab=lookup
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1887233
Signature
Creates multiple autostart registry keys
Excessive usage of taskkill to terminate processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses the Windows Restart Manager Abuse for Browser Credential File unlocking
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1887233 Sample: Xeno.bat Startdate: 21/03/2026 Architecture: WINDOWS Score: 100 118 hasteb.in 2->118 120 salat.cn 2->120 122 4 other IPs or domains 2->122 138 Suricata IDS alerts for network traffic 2->138 140 Malicious sample detected (through community Yara rule) 2->140 142 Multi AV Scanner detection for submitted file 2->142 144 10 other signatures 2->144 11 cmd.exe 1 2->11         started        14 cmd.exe 1 2->14         started        16 cmd.exe 2->16         started        18 13 other processes 2->18 signatures3 process4 signatures5 164 Suspicious powershell command line found 11->164 20 powershell.exe 14 11->20         started        24 conhost.exe 11->24         started        26 powershell.exe 12 14->26         started        28 conhost.exe 14->28         started        30 powershell.exe 16->30         started        32 conhost.exe 16->32         started        34 powershell.exe 18->34         started        36 powershell.exe 18->36         started        38 18 other processes 18->38 process6 file7 110 C:\ProgramData\Xeno.bat:Zone.Identifier, ASCII 20->110 dropped 112 C:\ProgramData\Xeno.bat, DOS 20->112 dropped 146 Suspicious powershell command line found 20->146 148 Found many strings related to Crypto-Wallets (likely being stolen) 20->148 150 Suspicious execution chain found 20->150 152 Found suspicious powershell code related to unpacking or dynamic code loading 20->152 40 powershell.exe 15 15 20->40         started        44 powershell.exe 26->44         started        46 powershell.exe 30->46         started        48 powershell.exe 34->48         started        50 powershell.exe 36->50         started        52 powershell.exe 38->52         started        54 powershell.exe 38->54         started        56 powershell.exe 38->56         started        58 5 other processes 38->58 signatures8 process9 dnsIp10 124 hasteb.in 45.33.64.25, 443, 49693, 49704 LINODE-APLinodeLLCUS United States 40->124 126 raw.githubusercontent.com 185.199.110.133, 443, 49694, 49705 FASTLYUS Netherlands 40->126 156 Creates multiple autostart registry keys 40->156 158 Writes to foreign memory regions 40->158 160 Injects a PE file into a foreign processes 40->160 60 2 other processes 40->60 162 Excessive usage of taskkill to terminate processes 44->162 65 6 other processes 44->65 128 pastefy.app 104.21.49.12, 443, 49718, 49725 CLOUDFLARENETUS United States 46->128 67 6 other processes 46->67 69 6 other processes 48->69 71 6 other processes 50->71 73 4 other processes 52->73 75 4 other processes 54->75 77 4 other processes 56->77 130 172.67.188.196, 443, 49737 CLOUDFLARENETUS United States 58->130 79 15 other processes 58->79 signatures11 process12 dnsIp13 132 dns.google 8.8.4.4, 443, 49707 GOOGLEUS United States 60->132 134 cloudflare-dns.com 104.16.249.249, 443, 49706 CLOUDFLARENETUS United States 60->134 136 salat.cn 104.21.60.88, 443, 49709, 49712 CLOUDFLARENETUS United States 60->136 114 C:\Program Filesbehaviorgraphoogle\Chrome\...\RegAsm.exe, PE32 60->114 dropped 116 C:\Program Files (x86)\...\RegAsm.exe, PE32 60->116 dropped 166 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 60->166 168 Tries to harvest and steal browser information (history, passwords, etc) 60->168 170 Tries to steal Crypto Currency Wallets 60->170 174 2 other signatures 60->174 87 3 other processes 60->87 172 Found many strings related to Crypto-Wallets (likely being stolen) 65->172 90 2 other processes 65->90 92 2 other processes 67->92 94 2 other processes 69->94 96 2 other processes 71->96 81 conhost.exe 73->81         started        83 conhost.exe 75->83         started        85 conhost.exe 77->85         started        98 3 other processes 79->98 file14 signatures15 process16 signatures17 100 conhost.exe 81->100         started        154 Loading BitLocker PowerShell Module 87->154 102 conhost.exe 87->102         started        104 conhost.exe 87->104         started        106 conhost.exe 87->106         started        108 WmiPrvSE.exe 87->108         started        process18
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-03-21 14:39:10 UTC
File Type:
Text (Batch)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a5ntzkr2ovgch6jjufmry2zthr62ccakl7py5ivdjf6rkbnwbxpa._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
79f994387f765567940cd3a23504170bbf78c7e3bbb50f79dc590a70090ab8d3
SalatStealer
9b9f0a47f0e1ed11995b18ca0eec65c53c8e027076fa8be151271b6f0b110276
SalatStealer
db6381cb9c7713c1b142fa6013d85c84e8121917036131e707488f1dc1111f2e
SalatStealer
error
SalatStealer
f67a9f79d2adf2ed0b74c2ba2f8b841d4b86830f648fa63b654839fb5eff2049
SalatStealer
+ 236 additional samples on MalwareBazaar
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer credential_access defense_evasion discovery execution persistence spyware stealer upx
Link:
https://tria.ge/reports/260321-ychw7saz4s/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Executes dropped EXE
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect SalatStealer payload
Salatstealer family
salatstealer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/58536/

Comments