MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4ce98855ef63a066a638ef4e366bd09fa86a5afe3c9fddd06aa3526b429ca8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 43 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4ce98855ef63a066a638ef4e366bd09fa86a5afe3c9fddd06aa3526b429ca8a
SHA3-384 hash: f95372218eeab045e83e2cffd79374d14c4b21478d8bbaf623effd081d01d7b75d2ed5ca8287fa6c706ce32afff18c90
SHA1 hash: ac4f8b34ca7ba3fd85dc519c97bb94771d13e02a
MD5 hash: f2a6dfd8db13c7b9c8f0658c37c5f9f2
humanhash: twenty-fanta-london-illinois
File name:BootstrapperNew.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:9'729'518 bytes
First seen:2025-06-19 18:28:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e0a0e8f80bbd1a9c0078e57256f1c3d (5 x GCleaner, 4 x LummaStealer, 3 x CoinMiner)
ssdeep 196608:DTCelZuf/cgDEynOjtqR1AY8ZoT55xVLGu01NGY76tZHWiiT:CUZufkyyy1AvZO5Vau01cYi5Py
TLSH T1F2A6334AE36C05F8E477A27CC8625943E6A77859433197DF039562222F136F0EE3EB61
TrID 50.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
19.7% (.EXE) Win64 Executable (generic) (10522/11/4)
9.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.4% (.EXE) Win32 Executable (generic) (4504/4/1)
3.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon cc8e333333338ecc (6 x SalatStealer, 3 x DCRat, 3 x SheetRAT)
Reporter aachum
Tags:exe SalatStealer


Avatar
iamaachum
https://www.youtube.com/watch?v=WP6GnearGY0 => https://disk.yandex.ru/d/L68tI1SQLQvwZg

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BootstrapperNew.exe
Verdict:
Malicious activity
Analysis date:
2025-06-19 18:31:39 UTC
Tags:
ms-smartcard susp-powershell salatstealer stealer golang upx
Link:
https://app.any.run/tasks/2ad06378-b743-43f5-8d5b-544399a7214d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10223/
Detection(s):
Win.Packed.Bladabindi-10017056-0
Create hunting rule

SecuriteInfo.com.Variant.Tedy.742456.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Enabling the 'hidden' option for recently created files
Launching a service
Launching a process
Creating a process with a hidden window
Loading a system driver
Creating a file in the Windows subdirectories
Modifying a system file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a4ce98855ef63a066a638ef4e366bd09fa86a5afe3c9fddd06aa3526b429ca8a
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/67e8667e-662c-424f-9e18-eccb71499cb0
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1718856
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Creates multiple autostart registry keys
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: System File Execution Location Anomaly
Yara detected Costura Assembly Loader
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1718856 Sample: BootstrapperNew.exe Startdate: 19/06/2025 Architecture: WINDOWS Score: 100 47 Antivirus detection for dropped file 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 7 other signatures 2->53 7 BootstrapperNew.exe 9 2->7         started        10 services.exe 2->10         started        13 svchost.exe 2->13         started        16 3 other processes 2->16 process3 dnsIp4 39 C:\Users\user\AppData\...\Runtime Broker.exe, PE32 7->39 dropped 41 C:\Users\user\AppData\...\BootstrapperNew.exe, PE32+ 7->41 dropped 18 Runtime Broker.exe 2 4 7->18         started        23 BootstrapperNew.exe 17 7->23         started        63 Antivirus detection for dropped file 10->63 65 Multi AV Scanner detection for dropped file 10->65 25 powershell.exe 26 10->25         started        45 127.0.0.1 unknown unknown 13->45 file5 signatures6 process7 dnsIp8 43 172.67.191.102, 443, 56052, 62557 CLOUDFLARENETUS United States 18->43 35 C:\Users\user\AppData\Local\...\services.exe, PE32 18->35 dropped 37 C:\...\XEFESIgyu2SseXtcw.exe, PE32 18->37 dropped 55 Found many strings related to Crypto-Wallets (likely being stolen) 18->55 57 Creates multiple autostart registry keys 18->57 27 XEFESIgyu2SseXtcw.exe 18->27         started        59 Multi AV Scanner detection for dropped file 23->59 61 Loading BitLocker PowerShell Module 25->61 29 WmiPrvSE.exe 2 25->29         started        31 conhost.exe 25->31         started        33 ReAgentc.exe 2 25->33         started        file9 signatures10 process11
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a4ce98855ef63a066a638ef4e366bd09fa86a5afe3c9fddd06aa3526b429ca8a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4ce98855ef63a066a638ef4e366bd09fa86a5afe3c9fddd06aa3526b429ca8a/
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-15 15:29:14 UTC
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uthjrbk66y5am2tdr32ogzv5bh5injnp4pe73xigvi2snnbjzkfa._file
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer discovery stealer upx
Link:
https://tria.ge/reports/250619-w57pxsw1e1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
UPX packed file
Checks computer location settings
Executes dropped EXE
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Malicious
Tags:
Win.Packed.Bladabindi-10017056-0
YARA:
n/a
Link:
https://app.threat.zone/submission/245584d0-ee09-4c38-b55b-d530b064e38f
Unpacked files
SH256 hash:
a4ce98855ef63a066a638ef4e366bd09fa86a5afe3c9fddd06aa3526b429ca8a
MD5 hash:
f2a6dfd8db13c7b9c8f0658c37c5f9f2
SHA1 hash:
ac4f8b34ca7ba3fd85dc519c97bb94771d13e02a
Link:
https://www.unpac.me/results/ff818c80-61f0-4c98-9f2f-2bdcd56bbbf3/
SH256 hash:
5bcc68604c4c4add6d592e0455156024e52ff10f9f06daa1f543b005d7c2a53f
MD5 hash:
1974506038c5934399de3c2f6c7544de
SHA1 hash:
2178c758de77c465014f96262caa4059ba7d996e
Detections:
INDICATOR_EXE_Packed_Fody
Create hunting rule
Link:
https://www.unpac.me/results/ff818c80-61f0-4c98-9f2f-2bdcd56bbbf3/
Parent samples :
f69011241df7a117e2d1e9c6c3dce12343fc25a6415fcb2581b9e9da22debc4e
5bcc68604c4c4add6d592e0455156024e52ff10f9f06daa1f543b005d7c2a53f
a4ce98855ef63a066a638ef4e366bd09fa86a5afe3c9fddd06aa3526b429ca8a
596ff27b44adef1e930afcc123950b24e3c3fb37fc46a860f7ab9059c584f25c
adfe883f52bd263a45dbfa0e7b8c06d9cf16cc5688a233589fb53e1e19a5f6c8
90e4da6d22fab412d9b77d1733d09ba4063bcf83838400a62b9584f963272dee
b58f9a99f7199c607317bef835bb92605b4f9bc350aa3071ccac7fef2746ab20
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4ce98855ef63a066a638ef4e366bd09fa86a5afe3c9fddd06aa3526b429ca8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:icarus
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked icarus malware samples.
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multi_Generic_Threat_19854dc2
Create hunting rule
Author:Elastic Security
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SalatStealer

Executable exe a4ce98855ef63a066a638ef4e366bd09fa86a5afe3c9fddd06aa3526b429ca8a

(this sample)

  
Link
https://tria.ge/250619-wxflgaep9y/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/10223/

Comments