MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26d0c307764f628adfee2f2f2476e388a4444b8cad1dd276f747bd71adb186df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26d0c307764f628adfee2f2f2476e388a4444b8cad1dd276f747bd71adb186df
SHA3-384 hash: ae0edf144bda26d65edb258ab7eff14380b3d20bc819ff702066c33ad0f79c31632cd6b81b48a8f14fe496cb7866eef8
SHA1 hash: 97fa9b3a9c64b30948a2311d585f7476292aefc3
MD5 hash: 3a040ac2146eaceb13d9ab77e181fad0
humanhash: twenty-arizona-diet-echo
File name:3a040ac2146eaceb13d9ab77e181fad0.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:3'511'808 bytes
First seen:2025-09-29 13:51:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (391 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 98304:JOMRGFlukFTFsBYxgFUqIMuYnVbubG8b/3ofZCk13ail:JfGFlukRFuYaz9lVS6Q/3wC6tl
TLSH T176F533CA714AB263D7C3157B65B4B9135DCEDBBB89E1068B2009432A585F2F70A2C7C7
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe SalatStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
26050d348e64d5cf3a9caecf5edbc3631525364b724bc178e3635ca331d1796c
Verdict:
Malicious activity
Analysis date:
2025-09-29 02:34:16 UTC
Tags:
loader
Link:
https://app.any.run/tasks/ac1a7635-1072-4f9b-bbc2-5d7958936195

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29423/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68da8ee840b7da0b4eb8b7e5
Tags:
stealer virus crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Searching for synchronization primitives
Launching a service
Launching a process
Creating a process with a hidden window
Loading a system driver
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
babar obfuscated packed packed packed packer_detected upx
Link:
https://www.filescan.io/uploads/68da8f1e6c140e5b35ff4cbe/reports/e76f0b95-5512-4c24-82e6-9cc69c944036/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/26d0c307764f628adfee2f2f2476e388a4444b8cad1dd276f747bd71adb186df
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-25T22:45:00Z UTC
Last seen:
2025-09-25T22:45:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-PSW.Win32.Convagent.gen Trojan-Downloader.Win32.Agent.sb Trojan-Banker.Win32.Agent.gen PDM:Trojan.Win32.Generic Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win32.Coins.sb
Link:
https://opentip.kaspersky.com/26d0c307764f628adfee2f2f2476e388a4444b8cad1dd276f747bd71adb186df/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1d35da11-34ac-45f9-bd3e-d16173186769
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1785911
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Powershell download and execute
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1785911 Sample: psOpqAnXMc.exe Startdate: 29/09/2025 Architecture: WINDOWS Score: 100 42 release-assets.githubusercontent.com 2->42 44 raw.githubusercontent.com 2->44 46 2 other IPs or domains 2->46 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected Salat Stealer 2->68 70 2 other signatures 2->70 8 build.exe 30 1 2->8         started        12 psOpqAnXMc.exe 1 1 2->12         started        15 svchost.exe 1 1 2->15         started        17 build.exe 2->17         started        signatures3 process4 dnsIp5 54 104.21.81.197, 443, 50003 CLOUDFLARENETUS United States 8->54 80 Found many strings related to Crypto-Wallets (likely being stolen) 8->80 82 Tries to harvest and steal browser information (history, passwords, etc) 8->82 84 Tries to steal Crypto Currency Wallets 8->84 19 powershell.exe 15 32 8->19         started        56 8.8.4.4, 443, 58042 GOOGLEUS United States 12->56 58 dns.google 8.8.8.8, 443, 50000, 50001 GOOGLEUS United States 12->58 60 172.67.146.62, 443, 58044 CLOUDFLARENETUS United States 12->60 40 C:\Users\user\AppData\Roaming\build.exe, PE32 12->40 dropped 24 build.exe 12->24         started        62 127.0.0.1 unknown unknown 15->62 file6 signatures7 process8 dnsIp9 48 github.com 140.82.113.3, 443, 49693 GITHUBUS United States 19->48 50 release-assets.githubusercontent.com 185.199.108.133, 443, 49694 FASTLYUS Netherlands 19->50 52 raw.githubusercontent.com 185.199.110.133, 443, 49690 FASTLYUS Netherlands 19->52 32 C:\Users\user\AppData\Local\Temp\ffmpeg.exe, PE32+ 19->32 dropped 34 C:\Users\user\AppData\...\AxMSTSCLib.dll, PE32 19->34 dropped 36 C:\Users\user\AppData\Local\Temp\7z.exe, PE32+ 19->36 dropped 38 C:\Users\user\AppData\Local\Temp\7z.dll, PE32+ 19->38 dropped 72 Loading BitLocker PowerShell Module 19->72 74 Powershell drops PE file 19->74 26 WmiPrvSE.exe 2 19->26         started        28 conhost.exe 19->28         started        30 ReAgentc.exe 2 19->30         started        76 Antivirus detection for dropped file 24->76 78 Multi AV Scanner detection for dropped file 24->78 file10 signatures11 process12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/26d0c307764f628adfee2f2f2476e388a4444b8cad1dd276f747bd71adb186df
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26d0c307764f628adfee2f2f2476e388a4444b8cad1dd276f747bd71adb186df/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/26d0c307764f628adfee2f2f2476e388a4444b8cad1dd276f747bd71adb186df
Threat name:
Win32.Infostealer.Babar
Create hunting rule
Status:
Malicious
First seen:
2025-09-26 02:45:30 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3imgb3wj5rivx7of4xsi5xdrcseis4mvuo5e5xxi66xdlnrq3pq._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
error
SalatStealer
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer credential_access defense_evasion discovery persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/250929-q5yt5agp2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Downloads MZ/PE file
Detect SalatStealer payload
Salatstealer family
UAC bypass
salatstealer
Verdict:
Suspicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/56b29ce8-3558-45b5-9c7f-d4aad4fc56e5
Unpacked files
SH256 hash:
26d0c307764f628adfee2f2f2476e388a4444b8cad1dd276f747bd71adb186df
MD5 hash:
3a040ac2146eaceb13d9ab77e181fad0
SHA1 hash:
97fa9b3a9c64b30948a2311d585f7476292aefc3
Link:
https://www.unpac.me/results/1c03a786-f32b-48e3-a070-70490620d42f/
SH256 hash:
a979ca808845664d932e7296f33cf4da97f3f0574671937d5ba563e81d40b459
MD5 hash:
bad87aa8791f6001e152cf0aba08f00b
SHA1 hash:
3a797b85bf5c72dd7d8fe04144c206a12b7f2b74
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/1c03a786-f32b-48e3-a070-70490620d42f/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26d0c307764f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/26d0c307764f628adfee2f2f2476e388a4444b8cad1dd276f747bd71adb186df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29423/

Comments