MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34f1c520c451a875b8b19601370083abf25259f01d93648e3cc5216ad8b0ac05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 19


Intelligence 19 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34f1c520c451a875b8b19601370083abf25259f01d93648e3cc5216ad8b0ac05
SHA3-384 hash: 5f7580f229ee9307f5ca2dd286c06c219b35fc00da50b18b768309e9eed561cf371d05e0c26aae3bba95e9a41dbdac7b
SHA1 hash: c8a8d5e0a628c6baf01e02d1b12d9a0b63e1ecf1
MD5 hash: 61d59ff5e18a579bfcff1c52cfe6f63b
humanhash: item-maine-july-kitten
File name:61d59ff5e18a579bfcff1c52cfe6f63b.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:3'467'264 bytes
First seen:2025-09-10 06:39:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (76 x DCRat, 22 x njrat, 17 x SalatStealer)
ssdeep 98304:906U1pwW/CtcgStnAMnkxtkW6JeqtQGMNdSiO:ORT5JIkLtnN
Threatray 195 similar samples on MalwareBazaar
TLSH T11DF5331EB5D891B9E26AA63C99070E41E7387C6547B16FCF03407ABA2F35AD08E7C711
TrID 53.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
20.9% (.EXE) Win64 Executable (generic) (10522/11/4)
8.9% (.EXE) Win32 Executable (generic) (4504/4/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
4.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe SalatStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
61d59ff5e18a579bfcff1c52cfe6f63b.exe
Verdict:
Malicious activity
Analysis date:
2025-09-10 06:40:36 UTC
Tags:
stealer upx susp-powershell salatstealer golang
Link:
https://app.any.run/tasks/f6820adc-e49f-4358-949e-6f82ecdafc7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26612/
Detection(s):
Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c11d736e66ba602d79bb36
Tags:
trojandropper overt delf
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending a UDP request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug dotnet lolbin packed packed
Link:
https://www.filescan.io/uploads/68c11d74cfa59bfdc7f6fc3f/reports/c8a34094-1d8c-4f0f-bc94-e1f5997775ae/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/34f1c520c451a875b8b19601370083abf25259f01d93648e3cc5216ad8b0ac05
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-06T13:46:00Z UTC
Last seen:
2025-09-06T13:46:00Z UTC
Hits:
~10
Detections:
Trojan-Dropper.Win32.Agent.gen Trojan-Banker.Win32.Agent.gen HEUR:Trojan.Win32.Generic Trojan.Win32.SAgent.sb Trojan-PSW.Win32.Coins.sb Trojan-Dropper.Win32.Delfea.sb Trojan.Win32.Reconyc.sb Trojan.Win32.PowerSpritz.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Greedy.sb Trojan.Win32.Agent.sb Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win32.HashCity.sb Trojan-Downloader.Win32.Agent.sb Trojan-Dropper.Win32.Delf.eimp HEUR:Trojan-PSW.Win32.Coins.pef Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/34f1c520c451a875b8b19601370083abf25259f01d93648e3cc5216ad8b0ac05/results?tab=lookup
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7522d4e-d0dd-4c3a-92ad-9c04f621f262
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1774454
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Disables UAC (registry)
Drops executable to a common third party application directory
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Powershell download and execute
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1774454 Sample: DYSJkKVdB7.exe Startdate: 10/09/2025 Architecture: WINDOWS Score: 100 71 release-assets.githubusercontent.com 2->71 73 raw.githubusercontent.com 2->73 75 2 other IPs or domains 2->75 103 Antivirus detection for dropped file 2->103 105 Antivirus / Scanner detection for submitted sample 2->105 107 Multi AV Scanner detection for dropped file 2->107 109 4 other signatures 2->109 9 DYSJkKVdB7.exe 2 2->9         started        12 pROjfHVMeLqkeTD.exe 1 2->12         started        14 BGhMxbLcOcFzD8Rb.exe 2->14         started        16 5 other processes 2->16 signatures3 process4 file5 69 C:\Users\user\AppData\Local\Temp\Xeno 1.exe, PE32 9->69 dropped 18 Xeno 1.exe 3 9->18         started        21 pROjfHVMeLqkeTD.exe 15 2 12->21         started        25 BGhMxbLcOcFzD8Rb.exe 14->25         started        27 pROjfHVMeLqkeTD.exe 16->27         started        29 BGhMxbLcOcFzD8Rb.exe 16->29         started        process6 dnsIp7 63 C:\Users\user\AppData\...\Xenoexecutor.exe, PE32 18->63 dropped 65 C:\Users\user\AppData\Local\Temp\Xeno.exe, PE32+ 18->65 dropped 31 Xenoexecutor.exe 2 4 18->31         started        36 Xeno.exe 18->36         started        77 104.21.96.1, 443, 64387 CLOUDFLARENETUS United States 21->77 67 C:\Program Files\...\pROjfHVMeLqkeTD.exe, PE32 21->67 dropped 111 Found many strings related to Crypto-Wallets (likely being stolen) 21->111 113 Tries to harvest and steal browser information (history, passwords, etc) 21->113 115 Tries to steal Crypto Currency Wallets 21->115 38 powershell.exe 15 32 21->38         started        40 pROjfHVMeLqkeTD.exe 21->40         started        file8 signatures9 process10 dnsIp11 79 dns.google 8.8.8.8, 443, 61318, 62341 GOOGLEUS United States 31->79 81 104.21.80.1, 443, 62343 CLOUDFLARENETUS United States 31->81 51 C:\Users\user\...\BGhMxbLcOcFzD8Rb.exe, PE32 31->51 dropped 53 C:\...\pROjfHVMeLqkeTD.exe, PE32 31->53 dropped 89 Antivirus detection for dropped file 31->89 91 Multi AV Scanner detection for dropped file 31->91 93 Found many strings related to Crypto-Wallets (likely being stolen) 31->93 101 2 other signatures 31->101 42 BGhMxbLcOcFzD8Rb.exe 31->42         started        83 github.com 140.82.116.4, 443, 49727 GITHUBUS United States 38->83 85 raw.githubusercontent.com 185.199.110.133, 443, 49726 FASTLYUS Netherlands 38->85 87 release-assets.githubusercontent.com 185.199.111.133, 443, 49728 FASTLYUS Netherlands 38->87 55 C:\Users\user\AppData\Local\Temp\ffmpeg.exe, PE32+ 38->55 dropped 57 C:\Users\user\AppData\...\AxMSTSCLib.dll, PE32 38->57 dropped 59 C:\Users\user\AppData\Local\Temp\7z.exe, PE32+ 38->59 dropped 61 C:\Users\user\AppData\Local\Temp\7z.dll, PE32+ 38->61 dropped 95 Disables UAC (registry) 38->95 97 Loading BitLocker PowerShell Module 38->97 99 Powershell drops PE file 38->99 45 conhost.exe 38->45         started        47 WmiPrvSE.exe 38->47         started        49 ReAgentc.exe 38->49         started        file12 signatures13 process14 signatures15 117 Antivirus detection for dropped file 42->117 119 Multi AV Scanner detection for dropped file 42->119
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/34f1c520c451a875b8b19601370083abf25259f01d93648e3cc5216ad8b0ac05
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34f1c520c451a875b8b19601370083abf25259f01d93648e3cc5216ad8b0ac05/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/34f1c520c451a875b8b19601370083abf25259f01d93648e3cc5216ad8b0ac05
Threat name:
Win32.Trojan.Dacic
Create hunting rule
Status:
Malicious
First seen:
2025-09-06 21:39:26 UTC
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gty4kigekguhlofrsyatoaedvpzfewpqdwjwjdr4yuqwvwfqvqcq._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
03c855957b1f80fcdd5e55953f206bb58e1f473d958cde0b9d83c2580f6934cd
SalatStealer
34f1c520c451a875b8b19601370083abf25259f01d93648e3cc5216ad8b0ac05
SalatStealer
4ca61f5c9b88fee807cae810b4d87367c30d6d67152d166375caa2b66b152468
SalatStealer
53d84055d2e47345b78517110b02dc731a112e74cb48afd5689c03f0400e8551
SalatStealer
59b06a52f9868e199a08d3e96cedfbedf28f4b407628e423301b9fa0be666f95
SalatStealer
dc8decaba2fbe09e0ca95485ed06376e65ba7e77869868beecf8f937747a213f
SalatStealer
e3f34d76f063263d0e3c5e72ab48a786d69f7c1ee000bbceca9ababeb6d9036a
SalatStealer
error
SalatStealer
feb50d16de7aea647de6bd3748b615a86c03b452d6f97396131c4d8134c8ecef
SalatStealer
+ 185 additional samples on MalwareBazaar
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer discovery stealer upx
Link:
https://tria.ge/reports/250910-hfl52awxhy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Checks computer location settings
Executes dropped EXE
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Malicious
Tags:
Win.Trojan.Injector-6297685-1
YARA:
n/a
Link:
https://app.threat.zone/submission/8c15598f-ab40-4e98-9c50-1c054e04a4f4
Unpacked files
SH256 hash:
34f1c520c451a875b8b19601370083abf25259f01d93648e3cc5216ad8b0ac05
MD5 hash:
61d59ff5e18a579bfcff1c52cfe6f63b
SHA1 hash:
c8a8d5e0a628c6baf01e02d1b12d9a0b63e1ecf1
Link:
https://www.unpac.me/results/7377ada6-ab83-4bb7-a83f-83b23e770736/
SH256 hash:
297a23507bb6935b8608cfa556c558099f7bbd977edb45841f5e9581fa5c2805
MD5 hash:
5360e795f3db5d0ebb1d8e6b92b21a8a
SHA1 hash:
8f358285d5b2ba4ea9e2fd0fbda854f74c2b2af3
Link:
https://www.unpac.me/results/7377ada6-ab83-4bb7-a83f-83b23e770736/
SH256 hash:
72bca47a5b2148d63c42eae1e4883336adeef8b07c9a2a8daeea4575a346d7a8
MD5 hash:
a42e1f4447fc33cb1bfe4beff499d349
SHA1 hash:
d2e05c757ee5c6478bff78e9154215a6050e220d
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/7377ada6-ab83-4bb7-a83f-83b23e770736/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/34f1c520c451/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34f1c520c451a875b8b19601370083abf25259f01d93648e3cc5216ad8b0ac05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26612/

Comments