MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57d596b29d6fc2c917503116419917c74d504be7733b31ac4637b6792e8abf72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57d596b29d6fc2c917503116419917c74d504be7733b31ac4637b6792e8abf72
SHA3-384 hash: ea09c0ed252a1ff06eeb0ce553b7ed345ed9c55fb1e5597b2db720bc2e0e44c2fe49b355acf731895a87101e2e3c87e6
SHA1 hash: 5728b9c8a57f8538b3ae6e7d3a5bffd5462ce8a0
MD5 hash: 2bbaf9ae8c73afe237e50f924c480bed
humanhash: hotel-item-indigo-sweet
File name:2bbaf9ae8c73afe237e50f924c480bed.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:3'098'653 bytes
First seen:2025-08-08 16:34:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (36 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:sV5Kha7KIpm7eNorMLeQW88vwzJAQeZLI+9oICzClRcWUSwSojhe4LFkguMk:sV56GKUoidEZE+oIyClRcTSit1L39k
TLSH T152E5334337E198F9F473063785946B3552FFEE282F120BDBE98148019DB92E1AA791C7
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe SalatStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
e2901993e6fefd4c9bbdd7a075f1d7f6e6275d6e6b49526f9f8cd5ff97157be9.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-08-08 02:55:16 UTC
Tags:
gcleaner loader lumma stealer telegram auto autoit amadey botnet generic
Link:
https://app.any.run/tasks/a0488526-dc34-407c-9eda-9c05695ce1a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19716/
Detection(s):
Win.Malware.7zip-10013374-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6896272a1e8a59ee04e78851
Tags:
obfuscate xtreme sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Creating a file
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Connection attempt
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer keylogger microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/6896273d9ef4d2ff7cf2e4f0/reports/c5703a25-0d31-4b88-8b7f-2af683bf8a5e/overview
Verdict:
Malicious
Labled as:
Malware/7zip
Link:
https://www.hybrid-analysis.com/sample/57d596b29d6fc2c917503116419917c74d504be7733b31ac4637b6792e8abf72
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6de89bcc-e710-4678-a2b7-4ed8de7e603c
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1753149
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to register a low level keyboard hook
Drops password protected ZIP file
Encrypted powershell cmdline option found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1753149 Sample: 7nIwX9ZSVr.exe Startdate: 08/08/2025 Architecture: WINDOWS Score: 100 84 x.ns.gin.ntt.net 2->84 86 time.google.com 2->86 88 20 other IPs or domains 2->88 102 Antivirus detection for dropped file 2->102 104 Multi AV Scanner detection for dropped file 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 5 other signatures 2->108 13 7nIwX9ZSVr.exe 8 2->13         started        17 svchost.exe 2->17         started        19 svchost.exe 2->19         started        21 7 other processes 2->21 signatures3 process4 dnsIp5 76 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 13->76 dropped 78 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 13->78 dropped 132 Contains functionality to register a low level keyboard hook 13->132 24 cmd.exe 2 13->24         started        26 OpenWith.exe 13->26         started        134 Changes security center settings (notifications, updates, antivirus, firewall) 17->134 30 WerFault.exe 19->30         started        90 127.0.0.1 unknown unknown 21->90 file6 signatures7 process8 dnsIp9 32 ycorigg.exe 3 24->32         started        35 7z.exe 2 24->35         started        37 7z.exe 3 24->37         started        39 11 other processes 24->39 92 cloudflare-dns.com 104.16.249.249, 443, 49718, 49752 CLOUDFLARENETUS United States 26->92 94 94.26.90.16, 1888, 49719 ASDETUKhttpwwwheficedcomGB Bulgaria 26->94 96 nexus-cloud-360.com 26->96 124 Query firmware table information (likely to detect VMs) 26->124 126 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 26->126 128 Checks if the current machine is a virtual machine (disk enumeration) 26->128 130 2 other signatures 26->130 signatures10 process11 file12 70 C:\Users\user\AppData\Local\Temp\ycorig.exe, PE32 32->70 dropped 72 C:\Users\user\AppData\Local\Temp\winr.exe, PE32 32->72 dropped 41 winr.exe 1 32->41         started        44 ycorig.exe 2 32->44         started        74 C:\Users\user\AppData\Local\...\ycorigg.exe, PE32 35->74 dropped process13 signatures14 118 Multi AV Scanner detection for dropped file 41->118 120 Encrypted powershell cmdline option found 41->120 46 powershell.exe 15 20 41->46         started        122 Antivirus detection for dropped file 44->122 51 WerFault.exe 44->51         started        process15 dnsIp16 98 adobehelp.net 104.21.64.1, 443, 49699 CLOUDFLARENETUS United States 46->98 80 C:\Users\user\AppData\...\winupdater64.exe, PE32 46->80 dropped 82 C:\Users\user\AppData\Local\...\installer.exe, PE32 46->82 dropped 100 Powershell drops PE file 46->100 53 installer.exe 46->53         started        56 winupdater64.exe 46->56         started        58 conhost.exe 46->58         started        file17 signatures18 process19 signatures20 110 Antivirus detection for dropped file 53->110 112 Multi AV Scanner detection for dropped file 53->112 114 Query firmware table information (likely to detect VMs) 53->114 116 2 other signatures 53->116 60 cmd.exe 56->60         started        process21 process22 62 conhost.exe 60->62         started        64 mode.com 60->64         started        66 7z.exe 60->66         started        68 7 other processes 60->68
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/57d596b29d6fc2c917503116419917c74d504be7733b31ac4637b6792e8abf72
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/2bbaf9ae8c73afe237e50f924c480bed
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57d596b29d6fc2c917503116419917c74d504be7733b31ac4637b6792e8abf72/
Verdict:
Malicious
Threat:
Trojan.Win32.Delfea
Link:
https://tip.neiki.dev/file/57d596b29d6fc2c917503116419917c74d504be7733b31ac4637b6792e8abf72
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-08-07 14:41:28 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7kznmu5n7bmsf2qgeledgixy5gvas7hom5tdlcgg63hslukx5za._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
SalatStealer
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys family:salatstealer credential_access defense_evasion discovery spyware stealer themida trojan upx
Link:
https://tria.ge/reports/250808-t3lnkawscw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detect SalatStealer payload
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Salatstealer family
Suspicious use of NtCreateUserProcessOtherParentProcess
salatstealer
Verdict:
Malicious
Tags:
Win.Malware.7zip-10013374-0
YARA:
n/a
Link:
https://app.threat.zone/submission/616b1430-e2f6-4fa4-ac97-8cc1eea3bdc0
Unpacked files
SH256 hash:
57d596b29d6fc2c917503116419917c74d504be7733b31ac4637b6792e8abf72
MD5 hash:
2bbaf9ae8c73afe237e50f924c480bed
SHA1 hash:
5728b9c8a57f8538b3ae6e7d3a5bffd5462ce8a0
Link:
https://www.unpac.me/results/396a05db-8cf3-4d0b-9302-5d1346b9700b/
SH256 hash:
4b34bff4ca00adc844bda9bb5490188ee5a164ca7a9987f5c9df07583df12d5a
MD5 hash:
f3b4fb33404860c98f6c6d2026d88143
SHA1 hash:
518ee53352a509a4517653e216f1cedb05846c40
Link:
https://www.unpac.me/results/396a05db-8cf3-4d0b-9302-5d1346b9700b/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57d596b29d6f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57d596b29d6fc2c917503116419917c74d504be7733b31ac4637b6792e8abf72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:observer
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked observer malware samples.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19716/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments