MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f39be5d98a3e9b0d1c3ef7874d9ca7a26c0ab25026ad220e8246bf0e515dde6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 19


Intelligence 19 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f39be5d98a3e9b0d1c3ef7874d9ca7a26c0ab25026ad220e8246bf0e515dde6
SHA3-384 hash: ddbe32328273b9a7277dd69410c5da003c218335cffd2902d742680fe078efb1e51c0952a6b502e0f16ebd3b346d05a3
SHA1 hash: e03c41e337e430dba0a0027389845d56e8d05994
MD5 hash: 2261d16cc059c6495872cae7799826cc
humanhash: sweet-neptune-west-nineteen
File name:start.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:3'559'424 bytes
First seen:2026-01-06 06:30:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (391 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 49152:oeUK9RomgfnN1ECiHh899gTJYGtmfpmCeWhoAuZjmCkTE+Cip3U6xWxDJqBZeVJe:nUerEnNdusmYsmf7R8AHw07G8
TLSH T198F53326CD211F27EBB50632C5EBA5A698FA4E48475AD180D0BC4F38ADFC3D749BC064
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe UPX
File size (compressed) :3'559'424 bytes
File size (de-compressed) :12'472'320 bytes
Format:win32/pe
Unpacked file: 3f2c463e14339a12ca2b46331758af5f7baeeb7d0e02e2008052387f4c620aab

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PEPacker Salat
Details
PEPacker
a UPX version number and an unpacked binary
Salat
decrypted c2 urls
Link:
https://research.acce.ciphertechsolutions.com/results/0ea659e7-1f55-40d9-bcf6-0e6a638da94f/
Malware family:
n/a
ID:
1
File name:
start.exe
Verdict:
Malicious activity
Analysis date:
2026-01-04 12:51:31 UTC
Tags:
ms-smartcard salatstealer stealer golang upx susp-powershell
Link:
https://app.any.run/tasks/155cd5c9-1b14-47fa-8cbe-6f4e907dcad8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47801/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695a6252d2357cccc3df55d1
Tags:
stration crypt virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Searching for synchronization primitives
Launching a service
Launching a process
Creating a process with a hidden window
Loading a system driver
Modifying a system file
Connection attempt
Sending a custom TCP request
Blocking the User Account Control
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm babar crypto packed packed packed stealer upx
Link:
https://www.filescan.io/uploads/695cac08db1b3f0505be4335/reports/70c5291c-8799-4c3b-9478-b98745972767/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/6f39be5d98a3e9b0d1c3ef7874d9ca7a26c0ab25026ad220e8246bf0e515dde6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-30T09:51:00Z UTC
Last seen:
2026-01-06T14:09:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win64.Salat.avk Trojan-PSW.Win32.Coins.sb HEUR:Trojan-PSW.Win32.Convagent.gen
Link:
https://opentip.kaspersky.com/6f39be5d98a3e9b0d1c3ef7874d9ca7a26c0ab25026ad220e8246bf0e515dde6/results?tab=lookup
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1bd55468-295d-4ce1-bd76-1b677ca49236
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1845314
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Disables UAC (registry)
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1845314 Sample: start.exe Startdate: 06/01/2026 Architecture: WINDOWS Score: 100 63 github.com 2->63 65 dns.google 2->65 77 Found malware configuration 2->77 79 Antivirus detection for URL or domain 2->79 81 Antivirus detection for dropped file 2->81 83 8 other signatures 2->83 9 start.exe 6 13 2->9         started        14 SgrmBroker.exe 1 2->14         started        16 sihost.exe 1 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 71 dns.google 8.8.4.4, 443, 50748, 65443 GOOGLEUS United States 9->71 73 8.8.8.8, 443, 65476 GOOGLEUS United States 9->73 75 104.21.81.197, 443, 65478 CLOUDFLARENETUS United States 9->75 55 C:\Users\user\AppData\...\SgrmBroker.exe, Unknown 9->55 dropped 57 C:\Program Files (x86)\...\dwm.exe, Unknown 9->57 dropped 59 C:\Program Files (x86)\...\8x2mFOdc92mF3.exe, Unknown 9->59 dropped 61 3 other malicious files 9->61 dropped 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->95 97 Found many strings related to Crypto-Wallets (likely being stolen) 9->97 99 Creates autostart registry keys with suspicious values (likely registry only malware) 9->99 103 2 other signatures 9->103 20 quMkc9QDIYh43UnR79EksT.exe 9->20         started        101 Antivirus detection for dropped file 14->101 22 SgrmBroker.exe 30 3 14->22         started        27 sihost.exe 16->27         started        29 Uypkgl7IiTlsb7dO8f7.exe 18->29         started        31 dwm.exe 18->31         started        33 8x2mFOdc92mF3.exe 18->33         started        35 2 other processes 18->35 file6 signatures7 process8 dnsIp9 69 172.67.146.62, 443, 65446 CLOUDFLARENETUS United States 22->69 51 C:\Program Filesbehaviorgraphoogle\...\SgrmBroker.exe, PE32 22->51 dropped 53 C:\Program Files (x86)\...\SgrmBroker.exe, PE32 22->53 dropped 89 Found many strings related to Crypto-Wallets (likely being stolen) 22->89 91 Tries to harvest and steal browser information (history, passwords, etc) 22->91 93 Tries to steal Crypto Currency Wallets 22->93 37 powershell.exe 15 31 22->37         started        41 SgrmBroker.exe 22->41         started        43 SgrmBroker.exe 22->43         started        file10 signatures11 process12 dnsIp13 67 github.com 140.82.114.4, 443, 49695, 49696 GITHUBUS United States 37->67 85 Disables UAC (registry) 37->85 87 Loading BitLocker PowerShell Module 37->87 45 conhost.exe 37->45         started        47 WmiPrvSE.exe 37->47         started        49 ReAgentc.exe 37->49         started        signatures14 process15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6f39be5d98a3e9b0d1c3ef7874d9ca7a26c0ab25026ad220e8246bf0e515dde6
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/2261d16cc059c6495872cae7799826cc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f39be5d98a3e9b0d1c3ef7874d9ca7a26c0ab25026ad220e8246bf0e515dde6/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/6f39be5d98a3e9b0d1c3ef7874d9ca7a26c0ab25026ad220e8246bf0e515dde6
Threat name:
Win32.Trojan.SalatStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-30 15:26:41 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n4434xmyupu3buod554hjwokpitmbkzfajvneihierv7bziv3xta._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
error
SalatStealer
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer credential_access defense_evasion discovery spyware stealer trojan upx
Link:
https://tria.ge/reports/260106-hrv73sdz2b/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Detect SalatStealer payload
Salatstealer family
UAC bypass
salatstealer
Verdict:
Suspicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/fd34df20-e4dd-4974-bb31-6648fb955f9b
Unpacked files
SH256 hash:
6f39be5d98a3e9b0d1c3ef7874d9ca7a26c0ab25026ad220e8246bf0e515dde6
MD5 hash:
2261d16cc059c6495872cae7799826cc
SHA1 hash:
e03c41e337e430dba0a0027389845d56e8d05994
Link:
https://www.unpac.me/results/7ee96e09-339a-4734-a305-de5190a95718/
SH256 hash:
7b4604215fd8c7b74a2d61ec14a58d3c1f2783bdc98dfdb82cf6f8a3a386df26
MD5 hash:
531715a078b3688bc27c70eade9f83a2
SHA1 hash:
2ec33ff5613b0dc8c6eddcff74e4b3b4e0360a2b
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/7ee96e09-339a-4734-a305-de5190a95718/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f39be5d98a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/6f39be5d98a3e9b0d1c3ef7874d9ca7a26c0ab25026ad220e8246bf0e515dde6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SalatStealer

Executable exe 6f39be5d98a3e9b0d1c3ef7874d9ca7a26c0ab25026ad220e8246bf0e515dde6

(this sample)

SalatStealer

Executable exe 3f2c463e14339a12ca2b46331758af5f7baeeb7d0e02e2008052387f4c620aab

Cape
Cape
https://www.capesandbox.com/analysis/47801/
  
Dropping
SHA256 3f2c463e14339a12ca2b46331758af5f7baeeb7d0e02e2008052387f4c620aab
  
Dropping
MD5 b3e66b8877af22ca72aa202c78042bba

Comments