MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a3a41a09aac4d1729bcbdb37f157de94ef16da737aebc6db0398c6f5a350d3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a3a41a09aac4d1729bcbdb37f157de94ef16da737aebc6db0398c6f5a350d3a
SHA3-384 hash: eea166d13346a669214f092e5ce2af1d9eade17a5f084c3ab0668d918ecc0c70a4a83bf5bfb777dd7a865f2a28da1930
SHA1 hash: 297785aff7b2d9f843c93870099f557f3d9b04ef
MD5 hash: c21c84469239ba24ad63197e8069f68f
humanhash: victor-ink-eleven-delta
File name:5a3a41a09aac4d1729bcbdb37f157de94ef16da737aebc6db0398c6f5a350d3a.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:16'227'882 bytes
First seen:2025-08-30 13:57:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (38 x BlankGrabber, 15 x PythonStealer, 15 x SalatStealer)
ssdeep 393216:jYESC+2NnhKatSdOOy1SuCq6mdUSCb5oy1Pa/wwDWtOA:jYEbhpS43Cq9qJqEP6wwDWt
TLSH T13BF6331862AA09FAECF2D93E87627C00D2697D417F69C9DF479013412D375EA4A3B3B4
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe SalatStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5a3a41a09aac4d1729bcbdb37f157de94ef16da737aebc6db0398c6f5a350d3a.exe
Verdict:
Malicious activity
Analysis date:
2025-08-28 06:45:55 UTC
Tags:
python ms-smartcard stealer upx salatstealer golang
Link:
https://app.any.run/tasks/747bc1e8-b341-40bf-ac56-60f95595728a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24246/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b303903e988eb6ab82fdbc
Tags:
installer extens overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending a UDP request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay overlay packed pyinstaller threat
Link:
https://www.filescan.io/uploads/68b303c31c81c34281d8f637/reports/cb6dcc78-2012-4be7-a6ba-dbfa911cc882/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5a3a41a09aac4d1729bcbdb37f157de94ef16da737aebc6db0398c6f5a350d3a
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-08-26T11:04:00Z UTC
Last seen:
2025-08-26T11:04:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win64.Salat.aew
Link:
https://opentip.kaspersky.com/5a3a41a09aac4d1729bcbdb37f157de94ef16da737aebc6db0398c6f5a350d3a/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1d423572-1528-4a85-b8cd-a47376e4b822
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1768133
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Drops PE files with benign system names
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Searches for Windows Mail specific files
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768133 Sample: YPPrlk31Qm.exe Startdate: 30/08/2025 Architecture: WINDOWS Score: 100 76 dns.google 2->76 86 Antivirus detection for dropped file 2->86 88 Antivirus / Scanner detection for submitted sample 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 5 other signatures 2->92 9 YPPrlk31Qm.exe 126 2->9         started        12 svchost.exe 1 2->12         started        15 svchost.exe 2->15 injected 17 17 other processes 2->17 signatures3 process4 dnsIp5 58 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->58 dropped 60 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 9->60 dropped 62 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->62 dropped 64 101 other malicious files 9->64 dropped 20 YPPrlk31Qm.exe 1 9->20         started        106 Antivirus detection for dropped file 12->106 108 Multi AV Scanner detection for dropped file 12->108 110 Drops PE files with benign system names 12->110 23 svchost.exe 30 3 12->23         started        27 consent.exe 15->27         started        29 consent.exe 15->29         started        31 consent.exe 15->31         started        33 consent.exe 15->33         started        74 127.0.0.1 unknown unknown 17->74 112 Changes security center settings (notifications, updates, antivirus, firewall) 17->112 114 Searches for Windows Mail specific files 17->114 35 iTah6Gv83PWxDI8D4dcKykh.exe 17->35         started        37 w9DUpP8TF76.exe 17->37         started        39 2 other processes 17->39 file6 signatures7 process8 dnsIp9 52 C:\Users\user\Desktop\temp_8243.exe, PE32 20->52 dropped 41 temp_8243.exe 10 21 20->41         started        78 8.8.4.4, 443, 64043 GOOGLEUS United States 23->78 80 104.21.112.1, 443, 64045 CLOUDFLARENETUS United States 23->80 54 C:\Program Filesbehaviorgraphoogle\...\svchost.exe, PE32 23->54 dropped 56 C:\Program Files (x86)\...\svchost.exe, PE32 23->56 dropped 94 Tries to harvest and steal browser information (history, passwords, etc) 23->94 96 Tries to steal Crypto Currency Wallets 23->96 46 svchost.exe 23->46         started        48 svchost.exe 23->48         started        98 Writes to foreign memory regions 27->98 file10 signatures11 process12 dnsIp13 82 dns.google 8.8.8.8, 443, 59575, 61111 GOOGLEUS United States 41->82 84 104.21.32.1, 443, 61113 CLOUDFLARENETUS United States 41->84 66 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 41->66 dropped 68 C:\Users\user\AppData\Local\...\zlbrXWxU.exe, PE32 41->68 dropped 70 C:\Users\user\AppData\Local\...\svchost.exe, PE32 41->70 dropped 72 7 other malicious files 41->72 dropped 100 Creates autostart registry keys with suspicious values (likely registry only malware) 41->100 102 Creates multiple autostart registry keys 41->102 104 Drops PE files with benign system names 41->104 50 5KB0meJqSp9Qz.exe 41->50         started        file14 signatures15 process16
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5a3a41a09aac4d1729bcbdb37f157de94ef16da737aebc6db0398c6f5a350d3a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/c21c84469239ba24ad63197e8069f68f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a3a41a09aac4d1729bcbdb37f157de94ef16da737aebc6db0398c6f5a350d3a/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/5a3a41a09aac4d1729bcbdb37f157de94ef16da737aebc6db0398c6f5a350d3a
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-08-26 16:10:53 UTC
File Type:
PE+ (Exe)
Extracted files:
1022
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=li5edie2vrgrokn4xwzx6fl55fhpc3nhg6xly3nqhggg6wrvbu5a._file
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer discovery pyinstaller stealer upx
Link:
https://tria.ge/reports/250830-rakvfsal9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
UPX packed file
Executes dropped EXE
Loads dropped DLL
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2fabcea5-035a-48d9-bdca-16e5b1b1c961
Unpacked files
SH256 hash:
5a3a41a09aac4d1729bcbdb37f157de94ef16da737aebc6db0398c6f5a350d3a
MD5 hash:
c21c84469239ba24ad63197e8069f68f
SHA1 hash:
297785aff7b2d9f843c93870099f557f3d9b04ef
Link:
https://www.unpac.me/results/b7f8c781-433f-45c3-a80e-1160dafdcc38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a3a41a09aac4d1729bcbdb37f157de94ef16da737aebc6db0398c6f5a350d3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/24246/

Comments