MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e491726bfc9f5a5f684611b5092aa5abf1a0ae201a1ce3cb1b26c9eddfc9c3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e491726bfc9f5a5f684611b5092aa5abf1a0ae201a1ce3cb1b26c9eddfc9c3f
SHA3-384 hash: b251ca267f0c5f2bf9980215ae3ddd693b70bf2664b516addc9c82f7610e295ab7aa673164115d09d9009f5577828160
SHA1 hash: 90b1d3df7d1d405bc311af1392f27289c86cf2a2
MD5 hash: 8cef29a7f03266525098d31127f3f9b8
humanhash: december-edward-carbon-kitten
File name:SecuriteInfo.com.Win64.MalwareX-gen.88962965
Download: download sample
Signature SalatStealer
Create hunting rule
File size:5'719'552 bytes
First seen:2025-08-11 20:21:34 UTC
Last seen:2025-08-11 21:15:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f2b8e732a057a6213dc3fae875c5b9c (8 x LummaStealer, 4 x Rhadamanthys, 2 x DarkCloud)
ssdeep 98304:TtKXw8uj24Pk7TDQWbd9lII+TQ40hfG9hJ2JMkZ0DKnwKRjgYAz1o:ToXw8uj2SkMuwrn9hJeWDKnwKSjzO
TLSH T109460118E87990D6FCC301B13B699252E4237F7BCE3C69AB50F89B50114AEED163B527
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe SalatStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
52
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
_9dfdf3dbf222a53f5fb4fb01d471ad18531a9f0758d25a08bdfe738bdbbcf253.exe
Verdict:
Malicious activity
Analysis date:
2025-08-11 20:14:19 UTC
Tags:
gcleaner loader lumma stealer amadey auto redline botnet arch-exec telegram auto-startup themida auto-reg evasion rdp purelogsstealer
Link:
https://app.any.run/tasks/e27240fa-9917-4be9-a8fd-cc5f4406a3bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20215/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.88962965.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689a5107fca70bd90e8e702e
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/689a50fc9ef4d2ff7cf6fa5a/reports/5ec69a04-f982-4c09-a688-b1ce2349f39a/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/6e491726bfc9f5a5f684611b5092aa5abf1a0ae201a1ce3cb1b26c9eddfc9c3f
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2d98cd94-7332-48cd-b24b-379abd98ac5a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6e491726bfc9f5a5f684611b5092aa5abf1a0ae201a1ce3cb1b26c9eddfc9c3f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/8cef29a7f03266525098d31127f3f9b8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e491726bfc9f5a5f684611b5092aa5abf1a0ae201a1ce3cb1b26c9eddfc9c3f/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/6e491726bfc9f5a5f684611b5092aa5abf1a0ae201a1ce3cb1b26c9eddfc9c3f
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-11 18:12:32 UTC
File Type:
PE+ (Exe)
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nzerojv7zh22l5uemenvbevklk7rucxcagq44pfrwjwj5xp4tq7q._file
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer credential_access defense_evasion discovery spyware stealer trojan upx
Link:
https://tria.ge/reports/250811-y5sxwatzbz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Downloads MZ/PE file
Detect SalatStealer payload
Salatstealer family
UAC bypass
salatstealer
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66e22352-6a1b-479e-945e-d9d506287d5a
Unpacked files
SH256 hash:
6e491726bfc9f5a5f684611b5092aa5abf1a0ae201a1ce3cb1b26c9eddfc9c3f
MD5 hash:
8cef29a7f03266525098d31127f3f9b8
SHA1 hash:
90b1d3df7d1d405bc311af1392f27289c86cf2a2
Link:
https://www.unpac.me/results/25ee0351-7d26-409b-9435-e61160ab311b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6e491726bfc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e491726bfc9f5a5f684611b5092aa5abf1a0ae201a1ce3cb1b26c9eddfc9c3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SalatStealer

Executable exe 6e491726bfc9f5a5f684611b5092aa5abf1a0ae201a1ce3cb1b26c9eddfc9c3f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3600940/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/20215/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::CreateWindowExW

Comments