MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35fcd9a92974ed0a8866eebef90a00780afc1f6ecc70dec50c1e06eae047526a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SalatStealer

Vendor detections: 18

Intelligence 18 IOCs YARA 9 File information Comments

SHA256 hash:	35fcd9a92974ed0a8866eebef90a00780afc1f6ecc70dec50c1e06eae047526a
SHA3-384 hash:	2eac7b5efc7b4948bc027de9fce3f22fc4d5bcd6e0e2ba8e060e436ee71f37e2d84a9b68f6dd994973b563c377c68db2
SHA1 hash:	d3bfb3998db260c9dca7f4e0dfbd185ef71fbb1c
MD5 hash:	1f3bf9342581be8a14c6b4cea6470d63
humanhash:	alaska-double-cardinal-idaho
File name:	file
Download:	download sample
Signature	SalatStealer Create hunting rule
File size:	4'030'976 bytes
First seen:	2025-11-18 16:13:23 UTC
Last seen:	2025-11-18 16:16:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ebd0234bdb72349456a460fb384e1935 (1 x SalatStealer)
ssdeep	98304:eVb0FB32VdUw9SMsuEnwHx+Nd3JTIgTXLeU7:Wb0FB3am8DsHwHSPc6p7
Threatray	1'645 similar samples on MalwareBazaar
TLSH	T198161213F089E5ECCC96E77334C689A566BA2D053103F27D18BCBF3EAC509799612D98
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 SalatStealer

Bitsight

url: http://178.16.55.189/files/5750743047/rF606wl.exe

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

http://178.16.55.189:80/testmine/random.exe

Verdict:

Malicious activity

Analysis date:

2025-11-18 16:15:49 UTC

Tags:

auto redline stealer amadey botnet loader rdp generic gcleaner xor-url purecrypter upx ms-smartcard exfiltration purelogs github inno installer delphi

Link:

https://app.any.run/tasks/d8d6da09-445f-4391-bb3d-976099051f23

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38583/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=691c9b2bbdb0ec3a9dc31f41

Tags:

vmdetect autorun

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

DNS request

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Sending a UDP request

Launching cmd.exe command interpreter

Running batch commands

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the Windows directory

Enabling the libraries to load when starting the app (AppInit_DLLs)

Loading a suspicious library

Creating a window

Unauthorized injection to a recently created process

Adding exclusions to Windows Defender

Enabling autorun

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm nim packed zero

Link:

https://www.filescan.io/uploads/691c9b5d56cb9be853a7333e/reports/4236f6c2-c253-44b7-9925-3933aec7afdf/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/35fcd9a92974ed0a8866eebef90a00780afc1f6ecc70dec50c1e06eae047526a

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-18T13:28:00Z UTC

Last seen:

2025-11-19T00:01:00Z UTC

Hits:

~10

Detections:

Trojan-Banker.Win32.Agent.gen Trojan.Win32.Agent.sb HEUR:Trojan.MSIL.Agent.gen HEUR:Backdoor.MSIL.AsyncRat.gen Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win32.Coins.sb Trojan.MSIL.Inject.sb PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Agent.sb Trojan.Win64.PhantomP.sb Exploit.Win32.PoolSpray.ab Trojan-Downloader.Win32.Agent.sb Trojan.Win32.AntiAV.dchw

Link:

https://opentip.kaspersky.com/35fcd9a92974ed0a8866eebef90a00780afc1f6ecc70dec50c1e06eae047526a/results?tab=lookup

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b65c70a8-1f0a-4600-a234-21cd0a101a26

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/35fcd9a92974ed0a8866eebef90a00780afc1f6ecc70dec50c1e06eae047526a

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/35fcd9a92974ed0a8866eebef90a00780afc1f6ecc70dec50c1e06eae047526a/

Verdict:

Malicious

Threat:

Family.SALATSTEALER

Link:

https://tip.neiki.dev/file/35fcd9a92974ed0a8866eebef90a00780afc1f6ecc70dec50c1e06eae047526a

Threat name:

Win64.Trojan.GenSteal

Status:

Malicious

First seen:

2025-11-18 16:14:25 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gx6ntkjjotwqvcdg527pscqapafpyh3ozryn5rimdydovychkjva._file

Verdict:

malicious

Label(s):

sheetrat

salatstealer

SalatStealer

2e11475c281ff7046bc6fb181b50ae740ff38b8a4105c5e7c670f35862f274e1

SalatStealer

58345d31f1b03c27119c13ed054ac18146f76e203aa14fa4cce7fdb0bdf41b1d

SalatStealer

811f30601dbe15e0d78bf4f8319caf3dbed4227af4c08bccf8e7b33229375576

SalatStealer

8f61bcc5a5896e0e861d78a7bd9dbb4fdacbce2c5d071428062207c51bc9f5cf

SalatStealer

ad61959f21fc0078c83f70d86c7b66d75a81d085409589a8f2861a9d5cb023e6

SalatStealer

c23029f315f2d0063ffaef0cb651cfcf8e39bd4f9d77aefb6a5866d73bf096db

SalatStealer

ce9ffdd4c4aae628610a18c000844f4963d763f6c3c13181c243f351b26572c4

SalatStealer

d5d4ad22502a7479bbd80571671dcebcce09ae47ce6688e32328e6c5b5758004

SalatStealer

error

SalatStealer

f6e5b7494a3de248f15384fd8bb18e44fdea052e302781cfab613facf2a8a5d7

SalatStealer

+ 1'635 additional samples on MalwareBazaar

Result

Malware family:

salatstealer

Score:

10/10

Tags:

family:salatstealer credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan upx

Link:

https://tria.ge/reports/251118-tpblfawrds/

Behaviour

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Badlisted process makes network request

Downloads MZ/PE file

Event Triggered Execution: AppInit DLLs

Detect SalatStealer payload

Modifies WinLogon for persistence

Salatstealer family

UAC bypass

salatstealer

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9abb6e81-a04b-433d-a7ec-848ee6e1c26e

Unpacked files

SH256 hash:

35fcd9a92974ed0a8866eebef90a00780afc1f6ecc70dec50c1e06eae047526a

MD5 hash:

1f3bf9342581be8a14c6b4cea6470d63

SHA1 hash:

d3bfb3998db260c9dca7f4e0dfbd185ef71fbb1c

Link:

https://www.unpac.me/results/fdb0ef1d-443a-49a9-825d-49bb9ece66f0/

Malware family:

Alcatraz

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/35fcd9a92974/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/35fcd9a92974ed0a8866eebef90a00780afc1f6ecc70dec50c1e06eae047526a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HUNTING_SUSP_TLS_SECTION Create hunting rule
Author:	chaosphere
Description:	Detect PE files with .tls section that can be used for anti-debugging
Reference:	Practical Malware Analysis - Chapter 16

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SalatStealer

exe 35fcd9a92974ed0a8866eebef90a00780afc1f6ecc70dec50c1e06eae047526a

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3711176/

Cape

https://www.capesandbox.com/analysis/38583/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample