MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 148d87ac04d98ad65e19d89ed46bc469bd1bca6eeba9f9b0ed2bba6b61fe23e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 20


Intelligence 20 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 148d87ac04d98ad65e19d89ed46bc469bd1bca6eeba9f9b0ed2bba6b61fe23e4
SHA3-384 hash: 9a8635abb64db45ca427889f8d2268c115d2c2404f4be7421f722b2d112dadbae1f5ecdd02a911ed50fafc736f22877a
SHA1 hash: 621aa23811834b4c7c3d7619e4ca85151773faa8
MD5 hash: 081fdf7315ac016e6e578ac19fae15bb
humanhash: diet-beer-arkansas-freddie
File name:081fdf7315ac016e6e578ac19fae15bb.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:3'289'600 bytes
First seen:2025-12-08 18:58:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (384 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 49152:q+zjp61PTHVRPaFHpI64ZNNsj7dI5u8vSi6q1FoBkOL5FqsqN+Ekl2KQUAvf7J:qrbuFiZK7d2FH6qnfGnlxQbvf
TLSH T1FEE53364EE00973CFA5F42B9519E5C6A8A1713FCC7B7AF6D052A3B07D1A708B3065B14
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe UPX
File size (compressed) :3'289'600 bytes
File size (de-compressed) :11'654'656 bytes
Format:win32/pe
Unpacked file: 2c58a41615f59e32da8ef95266aacad86638606cabef99d92d69df32ac43de4b

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PEPacker Salat
Details
PEPacker
a UPX version number and an unpacked binary
Salat
decrypted c2 urls
Link:
https://research.acce.ciphertechsolutions.com/results/fb126be9-c135-401b-87d4-7361f73f51b5/
Malware family:
n/a
ID:
1
File name:
081fdf7315ac016e6e578ac19fae15bb.exe
Verdict:
Malicious activity
Analysis date:
2025-12-08 19:14:37 UTC
Tags:
ms-smartcard stealer salatstealer upx golang
Link:
https://app.any.run/tasks/1791f2c2-2422-4cb9-a36d-1df49873347e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43911/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69371febdb58e1a2c22ba2e5
Tags:
crypt spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm crypto packed packed packed upx
Link:
https://www.filescan.io/uploads/69372000ff25e40750d7f8fb/reports/62e27ef0-cd38-4444-a1cf-f76697085e58/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/148d87ac04d98ad65e19d89ed46bc469bd1bca6eeba9f9b0ed2bba6b61fe23e4
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-06T11:24:00Z UTC
Last seen:
2025-12-08T16:38:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win32.Coins.sb Trojan-Banker.Win32.Agent.gen Trojan-Downloader.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/148d87ac04d98ad65e19d89ed46bc469bd1bca6eeba9f9b0ed2bba6b61fe23e4/results?tab=lookup
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52a6a6ee-3310-4862-b2a7-f209908c2497
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1829114
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Drops executable to a common third party application directory
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Searches for Windows Mail specific files
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1829114 Sample: FQ6mndd4fQ.exe Startdate: 08/12/2025 Architecture: WINDOWS Score: 100 53 dns.google 2->53 61 Antivirus detection for dropped file 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 6 other signatures 2->67 8 FQ6mndd4fQ.exe 5 10 2->8         started        13 10sI24aQj5r.exe 1 2->13         started        15 J0qMQPc8L7WKXmq7so.exe 1 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 55 8.8.4.4, 443, 61598 GOOGLEUS United States 8->55 57 dns.google 8.8.8.8, 443, 50013, 50014 GOOGLEUS United States 8->57 59 172.67.190.135, 443, 50016, 61600 CLOUDFLARENETUS United States 8->59 45 C:\Users\user\...\1PmkNL5hcqij3Qa4.exe, PE32 8->45 dropped 47 C:\Users\user\...\J0qMQPc8L7WKXmq7so.exe, PE32 8->47 dropped 49 C:\Program Files (x86)\...\explorer.exe, PE32 8->49 dropped 51 2 other malicious files 8->51 dropped 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->79 81 Found many strings related to Crypto-Wallets (likely being stolen) 8->81 83 Creates multiple autostart registry keys 8->83 91 2 other signatures 8->91 19 1PmkNL5hcqij3Qa4.exe 8->19         started        22 svchost.exe 5 45 8->22         started        24 10sI24aQj5r.exe 29 3 13->24         started        85 Antivirus detection for dropped file 15->85 87 Multi AV Scanner detection for dropped file 15->87 27 J0qMQPc8L7WKXmq7so.exe 15->27         started        89 Searches for Windows Mail specific files 17->89 29 WoVBflSApwOI.exe 17->29         started        31 explorer.exe 17->31         started        33 1PmkNL5hcqij3Qa4.exe 17->33         started        35 10sI24aQj5r.exe 17->35         started        file6 signatures7 process8 file9 69 Antivirus detection for dropped file 19->69 71 Multi AV Scanner detection for dropped file 19->71 41 C:\Program Filesbehaviorgraphoogle\...\10sI24aQj5r.exe, PE32 24->41 dropped 43 C:\Program Files (x86)\...\10sI24aQj5r.exe, PE32 24->43 dropped 73 Found many strings related to Crypto-Wallets (likely being stolen) 24->73 75 Tries to harvest and steal browser information (history, passwords, etc) 24->75 77 Tries to steal Crypto Currency Wallets 24->77 37 10sI24aQj5r.exe 24->37         started        39 10sI24aQj5r.exe 24->39         started        signatures10 process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/148d87ac04d98ad65e19d89ed46bc469bd1bca6eeba9f9b0ed2bba6b61fe23e4
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/081fdf7315ac016e6e578ac19fae15bb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/148d87ac04d98ad65e19d89ed46bc469bd1bca6eeba9f9b0ed2bba6b61fe23e4/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/148d87ac04d98ad65e19d89ed46bc469bd1bca6eeba9f9b0ed2bba6b61fe23e4
Threat name:
Win32.Trojan.SalatStealer
Create hunting rule
Status:
Malicious
First seen:
2025-12-06 16:12:49 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=csgyplae3gfnmxqz3cpni26eng6rxsto5ou7tmhnfo5gwyp6epsa._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
error
SalatStealer
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer credential_access discovery spyware stealer upx
Link:
https://tria.ge/reports/251208-xm5y2szphv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Malicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/e1ec3b18-e6c1-46f6-ae76-b7ae2ec3bd48
Unpacked files
SH256 hash:
148d87ac04d98ad65e19d89ed46bc469bd1bca6eeba9f9b0ed2bba6b61fe23e4
MD5 hash:
081fdf7315ac016e6e578ac19fae15bb
SHA1 hash:
621aa23811834b4c7c3d7619e4ca85151773faa8
Link:
https://www.unpac.me/results/c79cf722-4aae-47a2-a3a7-3a41cfcaa42c/
SH256 hash:
d661e35edbc43f529bc0efd697d227898bb31331b74e6a11caf37a657aa7f026
MD5 hash:
5f06d937626d3876408190f3ffcf399e
SHA1 hash:
82946f5f536db1346adc333fa8b74ab15e8ea8ef
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/c79cf722-4aae-47a2-a3a7-3a41cfcaa42c/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/148d87ac04d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/148d87ac04d98ad65e19d89ed46bc469bd1bca6eeba9f9b0ed2bba6b61fe23e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SalatStealer

Executable exe 148d87ac04d98ad65e19d89ed46bc469bd1bca6eeba9f9b0ed2bba6b61fe23e4

(this sample)

SalatStealer

Executable exe 2c58a41615f59e32da8ef95266aacad86638606cabef99d92d69df32ac43de4b

  
Dropping
SHA256 2c58a41615f59e32da8ef95266aacad86638606cabef99d92d69df32ac43de4b
  
Dropping
MD5 ec452915ce1bacf80832e1c19b25aeac
Cape
Cape
https://www.capesandbox.com/analysis/43911/

Comments