MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb7152dfc85b55593133b9cc855193a64cca9729eef74952cd4e63910feceba5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 47 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb7152dfc85b55593133b9cc855193a64cca9729eef74952cd4e63910feceba5
SHA3-384 hash: 73b773d80a52017036d89a1ddd2d69153212a94391862ccb0268572aa95249e0d222866b915c3d415ccdf16c469be04d
SHA1 hash: 4e1b51258e5c80d222f3c4f7c0a6b011ed4539d8
MD5 hash: 25e6ab99f024b540783cace2a156ad07
humanhash: oscar-music-edward-tennis
File name:Bloxstrap-v2.9.0.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:16'211'968 bytes
First seen:2025-07-11 17:20:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 196608:FDTJ0scmsbkWSsQObAbN04A4cv0GZBl/JbPC:F/J0scmsb9NQIAO4CtBZVC
TLSH T1D7F68D9523FC2A35E3B74B35A970B21A05367C2EA901D7DF1B85B65D2972280CDE0B73
TrID 42.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
22.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.3% (.EXE) Win64 Executable (generic) (10522/11/4)
6.9% (.EXE) Win32 Executable (generic) (4504/4/1)
3.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon f67ffeff7fff7fae (2 x XWorm, 1 x SalatStealer)
Reporter aachum
Tags:exe RUS SalatStealer


Avatar
iamaachum
https://www.youtube.com/watch?v=Ult4-cy1IEY => https://mega.nz/file/LQAi1C7Q#BpW5r_wMFNbwRi-2UsXph8Vp_pcyOPK0dM_02uDvPY4

Intelligence

File Origin
# of uploads :
1
# of downloads :
17
Origin country :
CZ CZ
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bloxstrap-v2.9.0.exe
Verdict:
Malicious activity
Analysis date:
2025-07-11 17:25:49 UTC
Tags:
stealer upx susp-powershell golang salatstealer ms-smartcard
Link:
https://app.any.run/tasks/f6abdea7-e219-40a4-809b-3f0aff8ba70c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13888/
Detection(s):
Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68714813900df8e7f869e971
Tags:
vmdetect crypt virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Sending a UDP request
DNS request
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Launching a service
Launching a process
Creating a process with a hidden window
Loading a system driver
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cb7152dfc85b55593133b9cc855193a64cca9729eef74952cd4e63910feceba5
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce40f12c-bf82-4aa4-b78c-00ac3c44de6d
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1734121
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1734121 Sample: Bloxstrap-v2.9.0.exe Startdate: 11/07/2025 Architecture: WINDOWS Score: 100 57 dns.google 2->57 75 Antivirus detection for dropped file 2->75 77 Antivirus / Scanner detection for submitted sample 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 4 other signatures 2->81 9 Bloxstrap-v2.9.0.exe 3 2->9         started        12 powershell.exe 26 2->12         started        15 zQmjUiqA4zMSVweUU.exe 1 2->15         started        17 4 other processes 2->17 signatures3 process4 file5 53 C:\Users\user\AppData\Local\Temp\start.exe, PE32 9->53 dropped 55 C:\Users\user\...\Bloxstrap-v2.9.0.exe, PE32+ 9->55 dropped 19 start.exe 2 4 9->19         started        24 Bloxstrap-v2.9.0.exe 12 9->24         started        91 Loading BitLocker PowerShell Module 12->91 26 conhost.exe 12->26         started        28 WmiPrvSE.exe 12->28         started        30 zQmjUiqA4zMSVweUU.exe 15->30         started        32 zQmjUiqA4zMSVweUU.exe 17->32         started        signatures6 process7 dnsIp8 59 dns.google 8.8.8.8, 443, 50313, 50400 GOOGLEUS United States 19->59 61 104.21.48.1, 443, 58705 CLOUDFLARENETUS United States 19->61 45 C:\...\SystemSettingsBroker.exe, PE32 19->45 dropped 47 C:\...\zQmjUiqA4zMSVweUU.exe, PE32 19->47 dropped 83 Antivirus detection for dropped file 19->83 85 Multi AV Scanner detection for dropped file 19->85 87 Found many strings related to Crypto-Wallets (likely being stolen) 19->87 89 Creates multiple autostart registry keys 19->89 34 zQmjUiqA4zMSVweUU.exe 19->34         started        36 chrome.exe 12 24->36         started        file9 signatures10 process11 dnsIp12 63 192.168.2.15 unknown unknown 36->63 65 192.168.2.16 unknown unknown 36->65 67 3 other IPs or domains 36->67 49 C:\Users\...\Unconfirmed 80735.crdownload, PE32 36->49 dropped 51 923646dd-c159-4aa1-a998-efdc4ff9eea0.tmp, PE32 36->51 dropped 40 chrome.exe 36->40         started        43 chrome.exe 36->43         started        file13 process14 dnsIp15 69 vmss-clarity-ingest-eus-d.eastus.cloudapp.azure.com 51.8.71.184, 443, 49741 MS-DEUTSCHLANDDE Germany 40->69 71 d6tizftlrpuof.cloudfront.net 18.67.79.167, 443, 49728, 49729 MIT-GATEWAYSUS United States 40->71 73 33 other IPs or domains 40->73
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cb7152dfc85b55593133b9cc855193a64cca9729eef74952cd4e63910feceba5
Verdict:
Malware
YARA:
12 match(es)
Tags:
.Net Executable Html PDB Path PE (Portable Executable) Win 32 Exe WSF File x86
Link:
https://app.malva.re/file/25e6ab99f024b540783cace2a156ad07
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb7152dfc85b55593133b9cc855193a64cca9729eef74952cd4e63910feceba5/
Threat name:
Win32.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2025-07-11 17:21:19 UTC
File Type:
PE (Exe)
Extracted files:
356
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=znyvfx6ilnkvsmjtxhgikumtuzgmvfzj533usuwnjzrzcd7m5osq._file
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer credential_access discovery spyware stealer upx
Link:
https://tria.ge/reports/250711-vw5crsx1fz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Malicious
Tags:
Win.Trojan.Injector-6297685-1
YARA:
n/a
Link:
https://app.threat.zone/submission/88b0ffe3-e549-46ef-8aed-96954d6caae0
Unpacked files
SH256 hash:
cb7152dfc85b55593133b9cc855193a64cca9729eef74952cd4e63910feceba5
MD5 hash:
25e6ab99f024b540783cace2a156ad07
SHA1 hash:
4e1b51258e5c80d222f3c4f7c0a6b011ed4539d8
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
e26ad294b18b5971392a3c5dd1fa3f62b78eb796686381da8aa6c5fd9893128b
MD5 hash:
f07f262b2af24aede3a4bda57b540c20
SHA1 hash:
9a9a9306e07a4d26b093b1dbba3cbbffadd6c5cd
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
e9cf94482bf1d56482de40bd336dd7219c83779b140257c5b0c8313c3f2863f9
MD5 hash:
83796d3e316ca559cec7d829b23db630
SHA1 hash:
4f7325c29d786508e352154eef6f3cc1a55b8a5e
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
97e50c18f1a07bbd89ef7adbb56550b5eb3e62ae8e8ea843ddd408a839c51c1e
MD5 hash:
f3b876057648485f8dc11d4f24721839
SHA1 hash:
cfeaaf7294921e8b684c42480ca858b5054d01f1
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
06abb92d68d86e58326129cc06b5e9797a3dedafb9deb9a3d683311d9ae71ced
MD5 hash:
4cf18b47b6ace18fc137259419237735
SHA1 hash:
8f9fffb3ab331320420fc61a9f261d814d239da6
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
80d55cd3172ab9c5a7ef70e650825ad0e4ed847b7a7778a273191056e5a040db
MD5 hash:
522ce058af84d0ca2558574275e4cf3e
SHA1 hash:
dbfd096f881f1436488c2c528a967d92601b3c02
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
b77c590f21302ed76fe6b1ca459dcb276306658a92db4c44491be1c46f3e1dae
MD5 hash:
8fa4dfcb44b7f2c4518de49304b0f1ad
SHA1 hash:
6fd044ed9be8f534307082419dfd62411a2e9c9a
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
7382b418005b9b4a32009917646e9ff3c95b58272a4a96943580b29d1804a669
MD5 hash:
51a8f677b55275a802a65bdb69a0faba
SHA1 hash:
c81e19b01b67793bb28a7fdce863473b8fce8540
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
a0a25ad8ceeceab8df929aec5da815d3a1c847b152c31ad97748d4e643531975
MD5 hash:
4816470f19fed99b0bd5635c9ce24c4a
SHA1 hash:
07dc6376668dbb11ab26e53cc2de51cba41e3133
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
1d4fbfc33ce797f53858bc7323add51e4a4a8f5474f768d76c931479da1a6755
MD5 hash:
97dd9b7a3fe05aac9164152eb36b1b1e
SHA1 hash:
c30e1f51d0023e3e5239e2fbd7f79d03e6ed6839
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
fa5089614eda509efc07980ef90213129cae7441259a73d5ce2b646fcb5903af
MD5 hash:
84472ea39ef11023cc3a6685ac6f1ca9
SHA1 hash:
13f728a84fa6d020f426d1f21f3d79b7cd4188ff
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
5f56f9137f691cac4bc64b2360e5790e1c42f9255ea2133021b47056ee5c6be2
MD5 hash:
6d030d9ef8f0cabb8f1a5fe7181c18ac
SHA1 hash:
7265b61e6b09f424d5ab6a47ceebf2ba4eb9650f
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
83fbdf9f5b35e2b544216df17c2923b8f300ad018da03e35d68006f36f60750a
MD5 hash:
4f3251f8f6212f523c4e675b765e22e4
SHA1 hash:
7548d459f9df8fa2b4a6980ae3933a54f3fb27e3
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
10094921ba18857ddc967ba169cfdcdf448b1d665ddf978019ad4b4f7b560a7e
MD5 hash:
9ede7f235963319d8aa65e5249cd2e91
SHA1 hash:
fc9666904864bb5393d117d6e981f002fa3da114
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
cfec7bac3bdd592d2b0ce67391df20c92c73c6974282887ccdbe357a28d2f145
MD5 hash:
07b12c738105c3161be77d7675e0e7b7
SHA1 hash:
694a77b5e8252a04646aa645b80987bedef573c8
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
a9b94e657e18f33b1e8b19bf61e814116bf17cc7b4a361ec333249ecb0770c96
MD5 hash:
2e39537cc8e1d94c8dfbca928a42b33e
SHA1 hash:
7246d572a17399e05121e0cb2ffdfc40e9f58612
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
f15dbf82bc6629b554e8568b616d1b0bbdc0563fc8c0b6f2eefccbda47bfb88d
MD5 hash:
8cf7f8360c9d5088104102be83279695
SHA1 hash:
131620289572d556cea57573fd319062a3ff6233
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
f92fcf835c17b2b8498b58fac3a2fa8a61c1f72dcd8f799c80e7e1e9cbe3b5e8
MD5 hash:
d081ba73647b29661adba7cb71ab2c11
SHA1 hash:
38caf0865139f68b810f53c8dd5c714233574f1e
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
a288308e943a0c96cf696dbf7c1a9b0ee28955a6e4cf201340926242fdce1a70
MD5 hash:
d238bc1b8e0fbae98b34ef2c1f1b3ede
SHA1 hash:
0844b20df91353ffcc55413886a327a07d18cc21
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
c0f5a8126242359bafa2b67c72593b381a26819436a7f66797dc3afd1f8e5478
MD5 hash:
abe8079ce3c4e35fb6864118e03401ac
SHA1 hash:
d384fcb874be65f649f32aa53a493279009b4fde
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
439ac72c9df5f6efb4fb85b14d7371f135fa761f6c7041a84af949ab5ff99e37
MD5 hash:
38a40f998f9c832dbd92dddba7408a70
SHA1 hash:
b03ad7b37917a7f62d87c8755914b54e5ac7801a
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
20aad34e7f944da53cf0172635a3e500adc05a5050a7a76ded02dec98d07792d
MD5 hash:
0dd820a786c892feca3277beaaec6fa8
SHA1 hash:
712f3db10bc1a9e3cba46e853b4b88873599906b
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
7867e7332069564fa90a40e17ae03eac4ecd6af9af5ea227c2d005f8eb9e18d2
MD5 hash:
637732af52f5ae10174df8547b0c4616
SHA1 hash:
fb2930276f49c77ff1aceaf8f81f5428b7e2fc10
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
be9c4d277888de0b38669f2c3baef5e2e096ce417094c193ee0c9f21ad83aa9a
MD5 hash:
4e9417aa5839a1ecacfa443c6f32c4c5
SHA1 hash:
5609032f812e3d03115e65d4dc458a06d6e22d79
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
389e5873aa2230bc31449a4e71d087a8c6e660b2d5e79b246488efe9467bbd3b
MD5 hash:
03f56fd62d2e81d34996bc100a4f908d
SHA1 hash:
3270a53db05f100f73f37dc0591b8912e8282380
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
5bc3b31f006cd28ddde49713391e7a0f31c3c0f485d12bbdca32d20f3cb8064a
MD5 hash:
b113da4130957c194a63747fee5c4243
SHA1 hash:
ce72474db2ddfda842341987b990e466b97bd81d
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
4ef16025d7bf801279f6abd5f1d8740628722817f50a47e02e638bc06e85b249
MD5 hash:
dc9186f3e782588c06a3c76dfbd7e451
SHA1 hash:
c3ccc6d3fcf5029a406037922528a25cb76d8aa3
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
0cefcb07fa5ba920c46c9a5e887a3ff1fa842e34e78b3d1241442015b1fe3f3a
MD5 hash:
02ebd6d74eea0bf40802fa2a69984fe9
SHA1 hash:
0d8b97b9ad1cc57af55a0f16821d381179856221
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
c5bb23037d547aad0d3e672c441dd3ac444ceaa1eccc1d737416bfb0475ae5aa
MD5 hash:
5599f632d5a3e3cc44de1797a913df4f
SHA1 hash:
0488eb7786010e6de2a68037c693dca591aa9db2
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
598e5f6116f6e963beff2a70f11fc3191464261589ad62b62413b6a4ff09afe5
MD5 hash:
c1fb63ebc907356540653e0b832aa7db
SHA1 hash:
4eb02b79d374bd6cd1461d6dc6e3ea3e05674d4d
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
8d5f11e755801900dec6190b4738bc4d0c952f8b4e92986e233faf7f5f8affd7
MD5 hash:
927057d5b9588a350c0f266118430e9b
SHA1 hash:
5349c5a0ac4457abaae684460180b2b6f2c8e680
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
985d214ef572e78d560c58bc230d10eeb6634bfa6c2566c99bd780cd82b3fadd
MD5 hash:
c428b978fd289d2ae66d722c6715e272
SHA1 hash:
647bf50b806529d63609d9c71e2fb1eb745e7661
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
44aa10bdfcdc18d619a950f0baee9375ac0b559f2fbb39260335762d7da6d681
MD5 hash:
33ad937c1f5f3098974fed5ee747e8fb
SHA1 hash:
bf687e5d5a79f4bcddfe141a562b7c571f7120c3
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
e0a5ff7729c5714ff63ad839c6c5897886f41af8516810f06fd36fae2c7f62cb
MD5 hash:
c2eb2a2501ab5676639ea576b26f022f
SHA1 hash:
4cb6f284d054049520c6e8f3993c85f9f7d6a5eb
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
d9a808da1399b1bc7e174959507de8a79c77d0f87172f9bfd0e589e4328da2e8
MD5 hash:
f308f5917f02c7afe94c783cd8722e20
SHA1 hash:
d52460b15b105bbfc41c37988eb5adc185026ba2
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
393ad68f3c1948a4d5e3683ad2ddf4c629dd2a020abd69b28304a9470e6d6f43
MD5 hash:
c703f1413cea4ce61df44eb0ea5c737d
SHA1 hash:
eed50a672e165dcc810e8b07c8ff2a8e4146bbc4
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
e6b767143862b0f4eb8e97bd5e81b1b79ab0a68a79a2c1e13e3cfa13fde3e330
MD5 hash:
9f446d49b87afd00cd243e534a1611b5
SHA1 hash:
e36c91084c4540959afbf86c09367bb11c3ae1e6
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
839c9f9d5405cc6c7fbb1ef6351377052b83b30e8aff525e99d779491f8770e5
MD5 hash:
1094385e5f467d7aff38b065e14b610b
SHA1 hash:
9d477cf86d6764fcc0ffce921c63bb7484c28d9d
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
c30bd6e4c9221b40c76b8487fd9341ead23bf6a98fc672fd2b58780069ad9858
MD5 hash:
77cdbb4a35553b85435fac5e8e512ab8
SHA1 hash:
84642705f410efaea09244ee3a489824842609ba
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
4dd4d48e0681604e3a7a72b6eae42173421d0b806b1af8fa03b45d9999978499
MD5 hash:
c6115a08c8e50dac0194fb98d3edc9d2
SHA1 hash:
903da7fb7ad47b7ad8eb5984ed54a865f6148744
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
168b2b97a3da00ed567f3a22d5a5e9ad0edd942d9aa77554df70658f6b4ae1ea
MD5 hash:
84b8165143686335e4c1c5b495f9a88a
SHA1 hash:
ec461e3850d577a96626f2558f362ae89516e19d
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
72cf291d4bab0edd08a9b07c6173e1e7ad1abb7ab727fd7044bf6305d7515661
MD5 hash:
916d32b899f1bc23b209648d007b99fd
SHA1 hash:
e3673d05d46f29e68241d4536bddf18cdd0a913d
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
3459f3016e6b6be94ff23112015b69facea5aacfd97b2afa7f4340108972e602
MD5 hash:
b631c32acf7233137d43f494528eddce
SHA1 hash:
0ee2e98018ba7bd89472241136027575ba40fb75
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
60232daedb5460d47c519157e9d18ba993de95d7a9c141453d4ba282a82053ff
MD5 hash:
633606b7ebd30e2dbe9bf1689d2840cf
SHA1 hash:
23c11dddb887ea3c48ac124eae1a3ee5e37850d6
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
32ea2d0ce3512e74f1c7ad82591fe67e6b8939d76a8a4ff9c93ead030131e71c
MD5 hash:
900bf2b7812788efb97eb6b1b63814a0
SHA1 hash:
f77f5a3f19f1ea332384517400684e5c2365e14a
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
c0c628ecea65b4261cb88a1c322a3596bbde1dc2df102b88d63bab8c1a48d57a
MD5 hash:
463454e569a489008aa0e5f1a6f49d47
SHA1 hash:
c98a6ea7f235200d61fb4fae6df55bb5868e972d
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
a094f979c08aa03c647628a7674e1141121d730913ef914412e01654b249c42b
MD5 hash:
b2baca6d8c1ec09be4d9fe6ab3248f92
SHA1 hash:
2159680f060d2762656f3bab8630ddaa511073d9
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
89236b66b7e8410829edf409d0c74ca02e8ebc7fff86d9de825ea2867384990d
MD5 hash:
98802af24d2aae74554e6ffb6daf4a03
SHA1 hash:
16001acf562b36c9eb19f03ed580837d1526a8a8
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
SH256 hash:
98fd1d0926eb0dd49c30cbdd428d779a96c89fe1f64995852dc8e6ca9d2a1a5e
MD5 hash:
0cda264ce626d480c8d9249548271b21
SHA1 hash:
d443608c27ea40031ae0a10d0b91b0e4b2ed28b5
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/fdfea4ee-3ee2-4956-bfda-66d27ef250b7/
Parent samples :
90e4da6d22fab412d9b77d1733d09ba4063bcf83838400a62b9584f963272dee
cb7152dfc85b55593133b9cc855193a64cca9729eef74952cd4e63910feceba5
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb7152dfc85b55593133b9cc855193a64cca9729eef74952cd4e63910feceba5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multi_Generic_Threat_19854dc2
Create hunting rule
Author:Elastic Security
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SalatStealer

Executable exe cb7152dfc85b55593133b9cc855193a64cca9729eef74952cd4e63910feceba5

(this sample)

  
Link
https://tria.ge/250711-t741psxyet/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/13888/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA

Comments