MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ecbcecdc37c55e1757c183a8f77c9b2493d2008f4facde3f089f5bbaaf1b4a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SalatStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	7ecbcecdc37c55e1757c183a8f77c9b2493d2008f4facde3f089f5bbaaf1b4a6
SHA3-384 hash:	8b1fa85714417c3cc23c07032a8f92e14c6fbce3f1dfa06bf1df5f9d0ea33b3a8be2ff9880af6af95b141c106577bc4c
SHA1 hash:	d0e1985ddb0903325937a8ecfd4586f5d1433616
MD5 hash:	86bfcfb543cf49892fa07d85304f5a5f
humanhash:	rugby-oscar-london-low
File name:	file
Download:	download sample
Signature	SalatStealer Create hunting rule
File size:	1'540'481 bytes
First seen:	2026-02-09 16:10:19 UTC
Last seen:	2026-02-09 18:33:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f1435e18a1e876c30356812ffec72f27 (1 x SalatStealer)
ssdeep	24576:B0Bp/0Efmoa3c2bKAUSW1ie8JsU3Aot+Ec0xMk1qqIcoyBja:2Bp/0ua3cUKCW1ibqqIcoyBja
TLSH	T11D650A83BACB4CE6CAC6577895D343316738FD258B1A5F2B6B08C6316D536C5BE4AB00
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 SalatStealer

Bitsight

url: http://130.12.180.43/files/7782139129/6uq3tqv.exe

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_7ecbcecdc37c55e1757c183a8f77c9b2493d2008f4facde3f089f5bbaaf1b4a6.exe

Verdict:

Malicious activity

Analysis date:

2026-02-09 16:13:03 UTC

Tags:

salatstealer stealer ms-smartcard upx susp-powershell golang

Link:

https://app.any.run/tasks/3ad9c28d-37e9-4268-9dc7-162b4c9e52dc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/52812/

Verdict:

Clean

Score:

N/A%

Link:

https://cyber-fortress.com/docs/result/index.php?id=698a06f642fd65534ccdf088

Tags:

n/a

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug meterpreter mingw overlay packed

Link:

https://www.filescan.io/uploads/698a06ee930564ff3c949d06/reports/27a2daff-d4f7-4085-a442-3a1c8573cada/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/7ecbcecdc37c55e1757c183a8f77c9b2493d2008f4facde3f089f5bbaaf1b4a6

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

Detections:

Trojan-PSW.Win32.Coins.sb HEUR:Trojan-PSW.Win32.Convagent.gen Trojan-PSW.Win64.Salat.sb

Link:

https://opentip.kaspersky.com/7ecbcecdc37c55e1757c183a8f77c9b2493d2008f4facde3f089f5bbaaf1b4a6/results?tab=lookup

Malware family:

SalatStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/284a9807-6095-42b9-b997-19a7b562b4c8

Score:

72%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7ecbcecdc37c55e1757c183a8f77c9b2493d2008f4facde3f089f5bbaaf1b4a6

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/86bfcfb543cf49892fa07d85304f5a5f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7ecbcecdc37c55e1757c183a8f77c9b2493d2008f4facde3f089f5bbaaf1b4a6/

Verdict:

Malicious

Threat:

Family.SALATSTEALER

Link:

https://tip.neiki.dev/file/7ecbcecdc37c55e1757c183a8f77c9b2493d2008f4facde3f089f5bbaaf1b4a6

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p3f45todprk6c5l4da5i656jwjet2iai6t5m3y7qrh23xkxrwsta._file

Result

Malware family:

salatstealer

Score:

10/10

Tags:

family:salatstealer discovery execution stealer upx

Link:

https://tria.ge/reports/260209-tmkrbsbw6g/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

UPX packed file

Checks computer location settings

Executes dropped EXE

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Detect SalatStealer payload

Salatstealer family

salatstealer

Unpacked files

SH256 hash:

7ecbcecdc37c55e1757c183a8f77c9b2493d2008f4facde3f089f5bbaaf1b4a6

MD5 hash:

86bfcfb543cf49892fa07d85304f5a5f

SHA1 hash:

d0e1985ddb0903325937a8ecfd4586f5d1433616

Link:

https://www.unpac.me/results/db7d4646-cd57-4d62-9837-a3ed6967799f/

Malware family:

SalatStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7ecbcecdc37c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)