MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55f38fbe83519d49f46ba0a40c02a773d5a1e5195ba82435c54dfc73a43f7800. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55f38fbe83519d49f46ba0a40c02a773d5a1e5195ba82435c54dfc73a43f7800
SHA3-384 hash: 07f19e8537a2f009296a9ef3be6846003ea219c8a808633f45240ee3f3d5ade1418b108f0b8504ada6a81308c49b2a32
SHA1 hash: 3ec05083e616eec47c9beff5b1b52e408f87023c
MD5 hash: b2e27be69931b678ee13b42f83438dc5
humanhash: monkey-failed-jig-two
File name:b2e27be69931b678ee13b42f83438dc5.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:3'288'064 bytes
First seen:2025-11-13 06:13:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (289 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 49152:GTf2CymSXEhvwRMIOQFTHZcZuww6t7CXsBMPiqIDVuNnN/4xG7VjZfu:GTffRSu+D6ZC8BYuiWwfu
TLSH T12FE5337791BE3C09E12F267996DC0EDECE05A4B59FB10DA110F9D4AEF26420528DF788
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe SalatStealer UPX
File size (compressed) :3'288'064 bytes
File size (de-compressed) :11'650'560 bytes
Format:win32/pe
Unpacked file: 7f45e64e06c8f0441ad2701b9bb2c0c15722d7066459eca27f41d1b05a3f428c

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_55f38fbe83519d49f46ba0a40c02a773d5a1e5195ba82435c54dfc73a43f7800.exe
Verdict:
Malicious activity
Analysis date:
2025-11-13 06:14:06 UTC
Tags:
salatstealer stealer upx golang auto-reg
Link:
https://app.any.run/tasks/47f5d031-295f-4067-8204-fc23fc34b105

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38033/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6915771660ebe843fe8d9f43
Tags:
bitcoin virus crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Launching a service
Loading a system driver
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/55f38fbe83519d49f46ba0a40c02a773d5a1e5195ba82435c54dfc73a43f7800
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-09T02:21:00Z UTC
Last seen:
2025-11-09T02:45:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Greedy.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Coins.sb Trojan-Banker.Win32.Agent.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.HashCity.sb Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.Win32.Agent.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Androm Trojan-PSW.Win64.Salat.sb HEUR:Trojan-PSW.Win32.Coins.pef
Link:
https://opentip.kaspersky.com/55f38fbe83519d49f46ba0a40c02a773d5a1e5195ba82435c54dfc73a43f7800/results?tab=lookup
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4abb3e00-bc19-4342-875b-d64af1c4858f
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1813127
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious Process Parents
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1813127 Sample: 0Wsyg5HpT9.exe Startdate: 13/11/2025 Architecture: WINDOWS Score: 100 52 dns.google 2->52 62 Antivirus detection for URL or domain 2->62 64 Antivirus detection for dropped file 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 9 other signatures 2->68 8 0Wsyg5HpT9.exe 10 20 2->8         started        13 WrhyWDs0rbtkBV.exe 1 2->13         started        15 93RUdV3mNSNNtZSzP48d3t.exe 1 2->15         started        17 8 other processes 2->17 signatures3 process4 dnsIp5 58 dns.google 8.8.8.8, 443, 56050, 58074 GOOGLEUS United States 8->58 60 172.67.146.62, 443, 58076 CLOUDFLARENETUS United States 8->60 44 C:\Users\user\...\6dBfHz1KTszpJNJ4UarAN6.exe, PE32 8->44 dropped 46 C:\Users\user\AppData\Local\...\dllhost.exe, PE32 8->46 dropped 48 C:\Users\user\AppData\Local\...\csrss.exe, PE32 8->48 dropped 50 7 other malicious files 8->50 dropped 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->80 82 Found many strings related to Crypto-Wallets (likely being stolen) 8->82 84 Creates multiple autostart registry keys 8->84 90 2 other signatures 8->90 19 6dBfHz1KTszpJNJ4UarAN6.exe 8->19         started        22 WrhyWDs0rbtkBV.exe 30 3 13->22         started        86 Antivirus detection for dropped file 15->86 88 Multi AV Scanner detection for dropped file 15->88 26 93RUdV3mNSNNtZSzP48d3t.exe 15->26         started        28 dllhost.exe 17->28         started        30 smss.exe 17->30         started        32 csrss.exe 17->32         started        34 StartMenuExperienceHost.exe 17->34         started        file6 signatures7 process8 dnsIp9 70 Antivirus detection for dropped file 19->70 72 Multi AV Scanner detection for dropped file 19->72 54 8.8.4.4, 443, 61615 GOOGLEUS United States 22->54 56 104.21.81.197, 443, 61617 CLOUDFLARENETUS United States 22->56 40 C:\Program Files\...\WrhyWDs0rbtkBV.exe, PE32 22->40 dropped 42 C:\Program Files (x86)\...\WrhyWDs0rbtkBV.exe, PE32 22->42 dropped 74 Found many strings related to Crypto-Wallets (likely being stolen) 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 78 Tries to steal Crypto Currency Wallets 22->78 36 WrhyWDs0rbtkBV.exe 22->36         started        38 WrhyWDs0rbtkBV.exe 22->38         started        file10 signatures11 process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/55f38fbe83519d49f46ba0a40c02a773d5a1e5195ba82435c54dfc73a43f7800
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/b2e27be69931b678ee13b42f83438dc5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55f38fbe83519d49f46ba0a40c02a773d5a1e5195ba82435c54dfc73a43f7800/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/55f38fbe83519d49f46ba0a40c02a773d5a1e5195ba82435c54dfc73a43f7800
Threat name:
Win32.Trojan.Genie
Create hunting rule
Status:
Malicious
First seen:
2025-11-09 04:21:50 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kxzy7pudkgout5dlucsayavhopk2dzizloucinofjx6hhjb7paaa._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
error
SalatStealer
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer credential_access discovery persistence spyware stealer upx
Link:
https://tria.ge/reports/251113-hebb5shq91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Malicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/ac40e628-ffbc-4b5b-ad4c-a45f80de14cc
Unpacked files
SH256 hash:
55f38fbe83519d49f46ba0a40c02a773d5a1e5195ba82435c54dfc73a43f7800
MD5 hash:
b2e27be69931b678ee13b42f83438dc5
SHA1 hash:
3ec05083e616eec47c9beff5b1b52e408f87023c
Link:
https://www.unpac.me/results/6701b07b-5bcb-43a6-971f-9677e49dcc9c/
SH256 hash:
4f4da869c9db07c3ed9e33c158b889b314df84f98a8996bbe6b38178a52e5637
MD5 hash:
34ead15c1847a61af7f4e198a1bf6aaa
SHA1 hash:
137e8e89a65447f5e1593a57f61e200ab5e02ee3
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/6701b07b-5bcb-43a6-971f-9677e49dcc9c/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55f38fbe8351/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/55f38fbe83519d49f46ba0a40c02a773d5a1e5195ba82435c54dfc73a43f7800

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SalatStealer

Executable exe 55f38fbe83519d49f46ba0a40c02a773d5a1e5195ba82435c54dfc73a43f7800

(this sample)

SalatStealer

Executable exe 7f45e64e06c8f0441ad2701b9bb2c0c15722d7066459eca27f41d1b05a3f428c

Cape
Cape
https://www.capesandbox.com/analysis/38033/
  
Dropping
SHA256 7f45e64e06c8f0441ad2701b9bb2c0c15722d7066459eca27f41d1b05a3f428c
  
Dropping
MD5 3e9487501bf00185e1a22e7907b97e44

Comments