MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20a64b7b18933e9d5a8c73528758aa533d8b3ff1b8499b187fb52d3a22735e62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20a64b7b18933e9d5a8c73528758aa533d8b3ff1b8499b187fb52d3a22735e62
SHA3-384 hash: 5d53eb884b39e25a5bb356d4c29c9309b61da7e9053ee2b2c4f6c563a89dbef778caee0878a8b1f4ce0371b65ac483e3
SHA1 hash: 7a71372dc18864abf1dc36f351edf65eb788b74d
MD5 hash: 0ae38e165ce11b7e6805f8f26850b307
humanhash: north-speaker-artist-pizza
File name:0ae38e165ce11b7e6805f8f26850b307.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:3'241'984 bytes
First seen:2026-01-12 14:58:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (387 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 49152:NWVkn0u7gc5+5dRxQYzA43r0dD2lEdx/k/vmga6ELlBhqIXH/OvzgC3rAf:eC7gc0nSYzA434YaRp6ELkIvOvzt3r
TLSH T1BFE533A5A935D60ECF36B2327FCDA1AB29CCB816C0F65C2178623965D02161F9E573C3
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe UPX
File size (compressed) :3'241'984 bytes
File size (de-compressed) :11'399'680 bytes
Format:win32/pe
Unpacked file: fe6a4ddfac61b6a0477e2916d3b9f575105293a7d2d55e9dee18aed9ef6d268d

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PEPacker Salat
Details
PEPacker
a UPX version number and an unpacked binary
Salat
decrypted c2 urls
Link:
https://research.acce.ciphertechsolutions.com/results/8acd4ab2-ebc6-4f90-98c3-7d5dae7fbd0c/
Malware family:
n/a
ID:
1
File name:
0ae38e165ce11b7e6805f8f26850b307.exe
Verdict:
Malicious activity
Analysis date:
2026-01-12 14:59:49 UTC
Tags:
salatstealer stealer upx golang
Link:
https://app.any.run/tasks/ae8d275c-8921-4200-a232-8076c875f1ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48626/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69650c14a3ed2a87ae3ea3bb
Tags:
stealer virus overt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm crypto packed packed packed upx
Link:
https://www.filescan.io/uploads/69650c10a0c0d48bb4643b30/reports/add4b85a-27d4-466b-b788-d3eac4b24b9b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/20a64b7b18933e9d5a8c73528758aa533d8b3ff1b8499b187fb52d3a22735e62
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-08T15:55:00Z UTC
Last seen:
2026-01-10T16:38:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win64.Salat.fwj Trojan-PSW.Win32.Coins.sb
Link:
https://opentip.kaspersky.com/20a64b7b18933e9d5a8c73528758aa533d8b3ff1b8499b187fb52d3a22735e62/results?tab=lookup
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/481fc66d-b0a9-4344-928b-9754d27e7cc1
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1849243
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/20a64b7b18933e9d5a8c73528758aa533d8b3ff1b8499b187fb52d3a22735e62
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/0ae38e165ce11b7e6805f8f26850b307
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20a64b7b18933e9d5a8c73528758aa533d8b3ff1b8499b187fb52d3a22735e62/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/20a64b7b18933e9d5a8c73528758aa533d8b3ff1b8499b187fb52d3a22735e62
Threat name:
Win32.Trojan.SalatStealer
Create hunting rule
Status:
Malicious
First seen:
2026-01-08 21:30:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ectew6yysm7j2wumonjiowfkkm6ywp7rxbezwgd7wuwtuittlzra._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
error
SalatStealer
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer discovery stealer upx
Link:
https://tria.ge/reports/260112-scc33aex6f/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
UPX packed file
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Suspicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/2f26769f-991a-4ab3-94ee-b691d9e42573
Unpacked files
SH256 hash:
20a64b7b18933e9d5a8c73528758aa533d8b3ff1b8499b187fb52d3a22735e62
MD5 hash:
0ae38e165ce11b7e6805f8f26850b307
SHA1 hash:
7a71372dc18864abf1dc36f351edf65eb788b74d
Link:
https://www.unpac.me/results/88bae7d8-33cb-41aa-9b9c-1a4313b42dde/
SH256 hash:
64b508d30919b4f5284d2751c09622137e845630b806fd3b169dcb47c18b500b
MD5 hash:
236d550fb59068eb124a3267edc6c331
SHA1 hash:
1ace1cacddada01440774ab42e5a991216181018
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/88bae7d8-33cb-41aa-9b9c-1a4313b42dde/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/20a64b7b1893/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/20a64b7b18933e9d5a8c73528758aa533d8b3ff1b8499b187fb52d3a22735e62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_PEs
Create hunting rule
Author:txc
Description:This rule detected suspicious PE files, based on high entropy and low amount of imported DLLs. This behaviour indicates packed files or files, that hide their true intention.
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SalatStealer

Executable exe 20a64b7b18933e9d5a8c73528758aa533d8b3ff1b8499b187fb52d3a22735e62

(this sample)

SalatStealer

Executable exe fe6a4ddfac61b6a0477e2916d3b9f575105293a7d2d55e9dee18aed9ef6d268d

  
Dropping
SHA256 fe6a4ddfac61b6a0477e2916d3b9f575105293a7d2d55e9dee18aed9ef6d268d
  
Dropping
MD5 8d59f1e1a0723fb942cdd4597a52359a
Cape
Cape
https://www.capesandbox.com/analysis/48626/

Comments