MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e04cc11b575025f8ab13ff6bb2028a7be33f2d27a3d2ac7f65862cb19108a4f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SalatStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	e04cc11b575025f8ab13ff6bb2028a7be33f2d27a3d2ac7f65862cb19108a4f1
SHA3-384 hash:	b3974b41fe64a24a0e69c8962accc5366eeb1a12b5389505e0193f2f5d9d1104ecc514b1080e7ecfb98b8060db7b14df
SHA1 hash:	078067df91f3f566f5ed1c36fbeb0ba55434d20e
MD5 hash:	1911d38e12ed40aa1df89c6aac4dc580
humanhash:	paris-july-lactose-potato
File name:	script.ps1
Download:	download sample
Signature	SalatStealer Create hunting rule
File size:	1'912 bytes
First seen:	2025-11-21 16:00:28 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	48:EAfZHzQeDxz0wyoYB3Rw1mpCjs9AQm1KVQFjL7VCS0pm9+DG3qUEXpw3WIIYVRWX:hz9DZ0TrBh2jtviQFf7V30a+IZjteZ
Threatray	337 similar samples on MalwareBazaar
TLSH	T1AF41C6A26B8981D3C7C302F3490BB5D8E2DC0098D8F26D60E4F2FA10A76D10D4ACB87D
Magika	powershell
Reporter	Alex_sev
Tags:	ClickFix ps1 SalatStealer trojan.dropper

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692089858cf6736ec0b0185c

Tags:

ransomware virus spawn

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64

Link:

https://www.filescan.io/uploads/69208c9d6c89728b98253ea8/reports/3a64c1a9-2380-43bd-8dbc-6b19fc3c19b2/overview

Verdict:

Malicious

Labled as:

BZC.PZQ.Boxter.794

Link:

https://www.hybrid-analysis.com/sample/e04cc11b575025f8ab13ff6bb2028a7be33f2d27a3d2ac7f65862cb19108a4f1

Verdict:

Malicious

File Type:

ps1

First seen:

2025-11-21T13:00:00Z UTC

Last seen:

2025-11-21T14:04:00Z UTC

Hits:

~10

Detections:

Trojan-PSW.Win32.HashCity.sb Trojan-Dropper.Win32.Agent.sb Trojan-Downloader.PowerShell.Agent.sb Trojan.Win32.Agent.sb Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.Win32.Greedy.sb Trojan-Downloader.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan-Banker.Win32.Agent.gen NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C UDS:DangerousObject.Multi.Generic

Link:

https://opentip.kaspersky.com/e04cc11b575025f8ab13ff6bb2028a7be33f2d27a3d2ac7f65862cb19108a4f1/results?tab=lookup

Score:

98%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e04cc11b575025f8ab13ff6bb2028a7be33f2d27a3d2ac7f65862cb19108a4f1

Verdict:

inconclusive

YARA:

1 match(es)

Tags:

Base64 Block Contains Base64 Block PowerShell

Link:

https://app.malva.re/file/1911d38e12ed40aa1df89c6aac4dc580

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e04cc11b575025f8ab13ff6bb2028a7be33f2d27a3d2ac7f65862cb19108a4f1/

Verdict:

Malicious

Threat:

Family.SALATSTEALER

Link:

https://tip.neiki.dev/file/e04cc11b575025f8ab13ff6bb2028a7be33f2d27a3d2ac7f65862cb19108a4f1

Threat name:

Win32.Trojan.Boxter

Status:

Malicious

First seen:

2025-11-21 15:47:19 UTC

File Type:

Text (PowerShell)

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4bgmcg2xkas7rkyt75v3eaukpprt6ljhupjky73fqywldeiiutyq._file

Verdict:

malicious

Label(s):

salatstealer

SalatStealer

4ca61f5c9b88fee807cae810b4d87367c30d6d67152d166375caa2b66b152468

SalatStealer

53d84055d2e47345b78517110b02dc731a112e74cb48afd5689c03f0400e8551

SalatStealer

a009d752494145c288387e586779a884b3f9729d6c0edab567ad5af122f7d478

SalatStealer

cca4352a19245a6c93d62dcf35ed55d180c315a42ac48a3c9bb43860093335f1

SalatStealer

ef7cb253973a7258bdcc68ee04b7555e64f69d9143efc222deea4e2bea8fc06b

SalatStealer

error

SalatStealer

+ 327 additional samples on MalwareBazaar

Result

Malware family:

salatstealer

Score:

10/10

Tags:

family:salatstealer credential_access defense_evasion discovery execution spyware stealer trojan upx

Link:

https://tria.ge/reports/251121-tgb71a1mcv/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Executes dropped EXE

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Badlisted process makes network request

Downloads MZ/PE file

Detect SalatStealer payload

Salatstealer family

UAC bypass

salatstealer

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/e04cc11b575025f8ab13ff6bb2028a7be33f2d27a3d2ac7f65862cb19108a4f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	SUSP_PowerShell_Base64_Decode Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects PowerShell code to decode Base64 data. This can yield many FP

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/0b1cb5b0-f65d-48e7-a599-41ada7e4e4cb

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample