MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7de32e61db420a5bfcbc3af5362ef93ee4dea188d4087abba886caaa6f81db1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 56 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7de32e61db420a5bfcbc3af5362ef93ee4dea188d4087abba886caaa6f81db1c
SHA3-384 hash: 965bcadb5d03d605c51b08589252ae3060f33a1bd7e15c81c0ff5ff9ee6d18fc632ae9b2d96295550d65e364c01b9bf9
SHA1 hash: 43d77dc2ad2c7d22a670bd0b7acca14a3fae183a
MD5 hash: 8be048e31c7366426ad824d5feb5194d
humanhash: bluebird-friend-autumn-island
File name:8be048e31c7366426ad824d5feb5194d.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:3'249'152 bytes
First seen:2026-03-11 07:11:51 UTC
Last seen:2026-03-14 15:52:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (405 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 49152:BLC7y9+e8eIeANoFcjexKYXhPf7VyJ1FewwzQT/WvzJLvQl8NSS+xYAJzcEWsghB:tC7yRLnFcj+Xdiaz99kUgxYKnWseD5b
Threatray 853 similar samples on MalwareBazaar
TLSH T1EAE533345931260ADABDDB7272F62C3A34F9DC764FA64399F18CC025E6479CA301CAD9
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe SalatStealer UPX
File size (compressed) :3'249'152 bytes
File size (de-compressed) :11'420'160 bytes
Format:win32/pe
Unpacked file: 8f857b06d1794f821f1dfad1c7ae2b57f93c6a8b17d0170b46ef4f3c08fc6986

Intelligence

File Origin
# of uploads :
3
# of downloads :
157
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/9b4819c4-a355-41f8-9e7b-07db7821f33e/
Malware family:
n/a
ID:
1
File name:
8be048e31c7366426ad824d5feb5194d.exe
Verdict:
Malicious activity
Analysis date:
2026-03-11 07:13:13 UTC
Tags:
salatstealer stealer upx susp-powershell golang auto-reg ms-smartcard
Link:
https://app.any.run/tasks/5d0fa425-4b60-4daf-adf6-2540e40ddde0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57008/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Salat.332.30903.24638.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b115dce5dc8e2b2c325fd6
Tags:
stration bitcoin crypt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm crypto packed packed packed salatstealer stealer unsafe upx
Link:
https://www.filescan.io/uploads/69b115d791ad9169e538f882/reports/783ed95d-1703-46f0-965a-e32d0a2782a0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7de32e61db420a5bfcbc3af5362ef93ee4dea188d4087abba886caaa6f81db1c
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-Downloader.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win32.Coins.sb Trojan-Banker.Win32.Agent.gen UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/7de32e61db420a5bfcbc3af5362ef93ee4dea188d4087abba886caaa6f81db1c/results?tab=lookup
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d34c60d3-9a15-4f42-8c92-8bc9f52f7332
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1881654
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Windows Restart Manager Abuse for Browser Credential File unlocking
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1881654 Sample: IjDIfhRVLz.exe Startdate: 11/03/2026 Architecture: WINDOWS Score: 100 46 tonapi.io 2->46 48 salat.cn 2->48 50 3 other IPs or domains 2->50 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Antivirus detection for URL or domain 2->64 66 7 other signatures 2->66 9 Xeno.exe 1 2->9         started        11 IjDIfhRVLz.exe 1 1 2->11         started        16 Xeno.exe 1 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 20 Xeno.exe 30 3 9->20         started        52 217.26.28.234, 443, 49701, 49711 ITAEC-ASRU Russian Federation 11->52 54 dns.google 8.8.4.4, 443, 49698, 49708 GOOGLEUS United States 11->54 56 2 other IPs or domains 11->56 44 C:\Users\user\AppData\Roaming\Xeno.exe, PE32 11->44 dropped 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->82 84 Found many strings related to Crypto-Wallets (likely being stolen) 11->84 24 Xeno.exe 11->24         started        26 Xeno.exe 16->26         started        file6 signatures7 process8 file9 40 C:\Program Filesbehaviorgraphoogle\Chrome\...\Xeno.exe, PE32 20->40 dropped 42 C:\Program Files (x86)\Microsoft\...\Xeno.exe, PE32 20->42 dropped 68 Found many strings related to Crypto-Wallets (likely being stolen) 20->68 70 Tries to harvest and steal browser information (history, passwords, etc) 20->70 72 Tries to steal Crypto Currency Wallets 20->72 74 Uses the Windows Restart Manager Abuse for Browser Credential File unlocking 20->74 28 powershell.exe 15 31 20->28         started        32 Xeno.exe 20->32         started        34 Xeno.exe 20->34         started        76 Antivirus detection for dropped file 24->76 78 Multi AV Scanner detection for dropped file 24->78 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->80 signatures10 process11 dnsIp12 58 gitlab.com 172.65.251.78, 443, 49714, 49715 CLOUDFLARENETUS United States 28->58 86 Loading BitLocker PowerShell Module 28->86 36 conhost.exe 28->36         started        38 WmiPrvSE.exe 28->38         started        signatures13 process14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7de32e61db420a5bfcbc3af5362ef93ee4dea188d4087abba886caaa6f81db1c
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/8be048e31c7366426ad824d5feb5194d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7de32e61db420a5bfcbc3af5362ef93ee4dea188d4087abba886caaa6f81db1c/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/7de32e61db420a5bfcbc3af5362ef93ee4dea188d4087abba886caaa6f81db1c
Threat name:
Win32.Spyware.SalatStealer
Create hunting rule
Status:
Malicious
First seen:
2026-03-11 02:28:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxrs4yo3iiffx7f4hl2tmlxzh3sn5imi2qehvo5iq3fku34b3moa._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
20a64b7b18933e9d5a8c73528758aa533d8b3ff1b8499b187fb52d3a22735e62
SalatStealer
33a369654917f0fef6b1915415402ed0fe34f0f7b0e5b43498cff80dd0cd11b1
SalatStealer
8a0b27ffd5eccaedb26712be54970184be5c656b2c524f119a1604f7d886c714
SalatStealer
bfb55fd8f5cdaf3afc166d5343d08fd29a894361ca123cec7029f1a1588a89a3
SalatStealer
d43020bc9ddeb79e896073252c7573d849d45192fd3b9ed76101c3e3eed7a386
SalatStealer
+ 843 additional samples on MalwareBazaar
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer discovery stealer upx
Link:
https://tria.ge/reports/260311-h1p3esgv2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
UPX packed file
Detect SalatStealer payload
Salatstealer family
salatstealer
Unpacked files
SH256 hash:
7de32e61db420a5bfcbc3af5362ef93ee4dea188d4087abba886caaa6f81db1c
MD5 hash:
8be048e31c7366426ad824d5feb5194d
SHA1 hash:
43d77dc2ad2c7d22a670bd0b7acca14a3fae183a
Link:
https://www.unpac.me/results/1f5e4d26-51bb-42a7-9d64-51f2fdf1db7d/
SH256 hash:
6366dc18f55d64ea29cbb5ac1a2c9c9e2b51552c9982b1a58e07e243cb5579ef
MD5 hash:
a5ec38eed0806d47ae5c2fd05911c8f4
SHA1 hash:
344de051888e34f161c2727157bc8e04d37029e2
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/1f5e4d26-51bb-42a7-9d64-51f2fdf1db7d/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7de32e61db42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/7de32e61db420a5bfcbc3af5362ef93ee4dea188d4087abba886caaa6f81db1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multi_Generic_Threat_19854dc2
Create hunting rule
Author:Elastic Security
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:suspicious_PEs
Create hunting rule
Author:txc
Description:This rule detected suspicious PE files, based on high entropy and low amount of imported DLLs. This behaviour indicates packed files or files, that hide their true intention.
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_All_Windows_PE_Malware
Create hunting rule
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SalatStealer

Executable exe 7de32e61db420a5bfcbc3af5362ef93ee4dea188d4087abba886caaa6f81db1c

(this sample)

SalatStealer

Executable exe 8f857b06d1794f821f1dfad1c7ae2b57f93c6a8b17d0170b46ef4f3c08fc6986

Cape
Cape
https://www.capesandbox.com/analysis/57008/
  
Dropping
SHA256 8f857b06d1794f821f1dfad1c7ae2b57f93c6a8b17d0170b46ef4f3c08fc6986
  
Dropping
MD5 978bf9e76249b6a4a03893d6963c4cb6

Comments