MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76ab981b7b93f61673b2b4a7c12f7ed2ceeeafde66e3c4fce88ce54b4d0c17e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76ab981b7b93f61673b2b4a7c12f7ed2ceeeafde66e3c4fce88ce54b4d0c17e3
SHA3-384 hash: be5e7f4259cb9abcc114905d27dc41c6fc13dd36afc525438d6a2aa80c3c3dd812a5c88ae54e74ce8832d660c8eea4d1
SHA1 hash: 3cf8ff06e7a4aa0aa24d90631bd8949b83971113
MD5 hash: 8ccb9a3bf5dbc2e80fd6baf7f0a2f321
humanhash: green-mockingbird-vermont-magazine
File name:8ccb9a3bf5dbc2e80fd6baf7f0a2f321.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:12'107'776 bytes
First seen:2025-12-03 13:53:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (281 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 98304:MC70l0xH2VLACpFhhWRz8Xcp64ZEhI1cMmWFxpVVhkkS9V0:2O2uUWe66bqLfxHVhAL0
TLSH T182C69E45FE9740F4FD034875611F773F9632260A9728DEDFEAA02E0AE927792193E109
TrID 50.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.4% (.EXE) Win32 Executable (generic) (4504/4/1)
3.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe SalatStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/dea94b3d-b6f6-4d53-8793-a431861629a7/
Malware family:
n/a
ID:
1
File name:
8ccb9a3bf5dbc2e80fd6baf7f0a2f321.exe
Verdict:
Malicious activity
Analysis date:
2025-12-03 13:56:18 UTC
Tags:
susp-powershell salatstealer stealer upx golang
Link:
https://app.any.run/tasks/7c9eca2c-9fa2-4471-8241-b357385cf3cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42282/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693040e5264b106bd646713a
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Launching a service
Launching a process
Creating a process with a hidden window
Loading a system driver
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
WinGo/Agent_AGeneric.QJ trojan
Link:
https://www.hybrid-analysis.com/sample/76ab981b7b93f61673b2b4a7c12f7ed2ceeeafde66e3c4fce88ce54b4d0c17e3
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-27T02:46:00Z UTC
Last seen:
2025-12-04T03:36:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.Win32.Agent.sb Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win64.Salat.dyf Trojan-PSW.Win32.Coins.sb
Link:
https://opentip.kaspersky.com/76ab981b7b93f61673b2b4a7c12f7ed2ceeeafde66e3c4fce88ce54b4d0c17e3/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b14a007f-f33b-4224-baae-c594ff4ad6a1
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1825425
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/76ab981b7b93f61673b2b4a7c12f7ed2ceeeafde66e3c4fce88ce54b4d0c17e3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76ab981b7b93f61673b2b4a7c12f7ed2ceeeafde66e3c4fce88ce54b4d0c17e3/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/76ab981b7b93f61673b2b4a7c12f7ed2ceeeafde66e3c4fce88ce54b4d0c17e3
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-11-27 07:34:39 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2vzqg33sp3bm45swst4cl362lho5l66m3r4j7hirtsuwtimc7rq._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
error
SalatStealer
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer discovery stealer upx
Link:
https://tria.ge/reports/251203-q69ysacp2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
UPX packed file
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Suspicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/feddd879-e935-417f-8e73-e9551c990c29
Unpacked files
SH256 hash:
76ab981b7b93f61673b2b4a7c12f7ed2ceeeafde66e3c4fce88ce54b4d0c17e3
MD5 hash:
8ccb9a3bf5dbc2e80fd6baf7f0a2f321
SHA1 hash:
3cf8ff06e7a4aa0aa24d90631bd8949b83971113
Link:
https://www.unpac.me/results/eb416a4b-2083-4f35-bcbd-7509836270f8/
SH256 hash:
ee0e3a3e96eee1d40b6114ae2862bc55797ccf4a479141374e3cef414cae5ff6
MD5 hash:
014f53cfac41cc39e17ed2173a921773
SHA1 hash:
7c58902b17a258d2c5b1178322be1372a3e323e9
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/eb416a4b-2083-4f35-bcbd-7509836270f8/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/76ab981b7b93/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76ab981b7b93f61673b2b4a7c12f7ed2ceeeafde66e3c4fce88ce54b4d0c17e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/42282/

Comments