MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a0b27ffd5eccaedb26712be54970184be5c656b2c524f119a1604f7d886c714. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a0b27ffd5eccaedb26712be54970184be5c656b2c524f119a1604f7d886c714
SHA3-384 hash: 4e6f0aee7baa7eeb18348ae0ca2b754041c3a7caa8559e8d4a02d28af9b4d578d0beaebc8510f34300cc9f5650b685a1
SHA1 hash: 15b1eedbd7df9b98b4775028e8eca9c66a5120fd
MD5 hash: 9f1c18b1e244730fbbf5019c7e028065
humanhash: five-enemy-social-west
File name:setis.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:3'250'176 bytes
First seen:2026-02-23 14:22:42 UTC
Last seen:2026-02-23 15:37:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (405 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 49152:Fpwu3UD1ZrkcSgpIKWgpuQYzFGtwBFGZfTjRASfleLjtct2DKWE468JNEBK/Dsrk:Fpwu32Zr7I9DzFGiaf6clFtAKYRg
TLSH T147E5339DEB2F9F49D5EA80B5EF370161911B100C85E9B09F62360BE625A27C1671FE33
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter qemped
Tags:exe UPX
File size (compressed) :3'250'176 bytes
File size (de-compressed) :11'418'112 bytes
Format:win32/pe
Unpacked file: c7d59d60e4e5357c4ee64838f7401a04dcae5a82c069e9b22569f07d1ce4c268

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
ID ID
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/edcf3513-8844-4693-b5b4-985ac624e6d7/
Malware family:
n/a
ID:
1
File name:
setis.exe
Verdict:
Malicious activity
Analysis date:
2026-02-23 14:20:57 UTC
Tags:
salatstealer stealer susp-powershell upx golang
Link:
https://app.any.run/tasks/edd9499e-91b7-4be7-b4af-e809fd1a1268

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54216/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Salat.332.11761.32179.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699c62d78fffa866e3b115a5
Tags:
stration crypt virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Searching for synchronization primitives
Launching a service
Launching a process
Creating a process with a hidden window
Loading a system driver
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm crypto packed packed packed upx
Link:
https://www.filescan.io/uploads/699c62d304510f87ba754e2d/reports/54550ef2-46ea-4cb9-8057-33316aec0f8c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8a0b27ffd5eccaedb26712be54970184be5c656b2c524f119a1604f7d886c714
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win32.Coins.sb HEUR:Trojan-PSW.Win32.Convagent.gen
Link:
https://opentip.kaspersky.com/8a0b27ffd5eccaedb26712be54970184be5c656b2c524f119a1604f7d886c714/results?tab=lookup
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a22da30b-c992-4c7d-8a33-f28dd3bec1fd
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8a0b27ffd5eccaedb26712be54970184be5c656b2c524f119a1604f7d886c714
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/9f1c18b1e244730fbbf5019c7e028065
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a0b27ffd5eccaedb26712be54970184be5c656b2c524f119a1604f7d886c714/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/8a0b27ffd5eccaedb26712be54970184be5c656b2c524f119a1604f7d886c714
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-02-18 21:41:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rifsp76v5tfo3mthck7fjfybqs7fyzllfrje6em2cycppwegy4ka._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
error
SalatStealer
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer credential_access discovery persistence spyware stealer upx
Link:
https://tria.ge/reports/260223-rp8vtsfy2b/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Executes dropped EXE
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Detect SalatStealer payload
Salatstealer family
salatstealer
Unpacked files
SH256 hash:
8a0b27ffd5eccaedb26712be54970184be5c656b2c524f119a1604f7d886c714
MD5 hash:
9f1c18b1e244730fbbf5019c7e028065
SHA1 hash:
15b1eedbd7df9b98b4775028e8eca9c66a5120fd
Link:
https://www.unpac.me/results/a47a6d8d-1c62-453d-9864-6909de6ce7da/
SH256 hash:
bb67b1d6e1a2b75352de125aff339e0b38452bf8cefb2c432834e20cb0db86e7
MD5 hash:
48d3550346d79addd9c05066bb65189d
SHA1 hash:
4986552933c35fa3c99905666dddacd5c8bd97d8
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/a47a6d8d-1c62-453d-9864-6909de6ce7da/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a0b27ffd5ec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/8a0b27ffd5eccaedb26712be54970184be5c656b2c524f119a1604f7d886c714

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_PEs
Create hunting rule
Author:txc
Description:This rule detected suspicious PE files, based on high entropy and low amount of imported DLLs. This behaviour indicates packed files or files, that hide their true intention.
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SalatStealer

Executable exe 8a0b27ffd5eccaedb26712be54970184be5c656b2c524f119a1604f7d886c714

(this sample)

SalatStealer

Executable exe c7d59d60e4e5357c4ee64838f7401a04dcae5a82c069e9b22569f07d1ce4c268

Cape
Cape
https://www.capesandbox.com/analysis/54216/
  
Dropping
SHA256 c7d59d60e4e5357c4ee64838f7401a04dcae5a82c069e9b22569f07d1ce4c268
  
Dropping
MD5 ff3b6caa9e99299cf520a198188bd680

Comments