MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7b188c6d45bfa86305ed3932a87b1780d114571d5b19aed4ed4d1dd66359382. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7b188c6d45bfa86305ed3932a87b1780d114571d5b19aed4ed4d1dd66359382
SHA3-384 hash: 8394096d15cdc12c3af17bd755f04668fb7b5225d34aaac195784dff5c685dc842dc6fccbf1b24f61856e34f46e7f27a
SHA1 hash: c4830452ba1dffad3567835f613300d45b7466e8
MD5 hash: d8e4cecc57dd2c846d3b1e5725a10c41
humanhash: venus-florida-eight-steak
File name:d8e4cecc57dd2c846d3b1e5725a10c41.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:16'289'322 bytes
First seen:2025-09-03 05:56:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (38 x BlankGrabber, 15 x PythonStealer, 15 x SalatStealer)
ssdeep 393216:BYESC+2NnhKatSdOOy1SuCq6mdUSCb5oy1Pa/wwDWtOA:BYEbhpS43Cq9qJqEP6wwDWt
TLSH T136F6331862AA09FEECF2D93E86627C00C2697D417F69C5DF439413412D376EA5A3B3B4
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe SalatStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d8e4cecc57dd2c846d3b1e5725a10c41.exe
Verdict:
Malicious activity
Analysis date:
2025-09-03 05:59:03 UTC
Tags:
python stealer ms-smartcard upx salatstealer golang
Link:
https://app.any.run/tasks/0a477ef5-daa0-4801-9955-8e8faa1a33d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24847/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b7d8d13e988eb6ab839faa
Tags:
installer extens overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending a UDP request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller pyinstaller threat
Link:
https://www.filescan.io/uploads/68b7d8d6d5fe4d855590f918/reports/0e51f482-d5ad-4022-a88b-d707e9220ad5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e7b188c6d45bfa86305ed3932a87b1780d114571d5b19aed4ed4d1dd66359382
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-08-26T11:04:00Z UTC
Last seen:
2025-08-26T11:04:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e7b188c6d45bfa86305ed3932a87b1780d114571d5b19aed4ed4d1dd66359382/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b177e3cb-9254-4084-b2eb-f52c450abb66
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1770108
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1770108 Sample: 0t8sgU3UAk.exe Startdate: 03/09/2025 Architecture: WINDOWS Score: 100 71 dns.google 2->71 81 Antivirus detection for dropped file 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 5 other signatures 2->87 9 0t8sgU3UAk.exe 126 2->9         started        12 491NQTf2bLchCkmdgftVL.exe 1 2->12         started        15 7EzG2Ra9ImF5INf3ui.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 file5 57 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->57 dropped 59 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 9->59 dropped 61 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->61 dropped 63 101 other malicious files 9->63 dropped 19 0t8sgU3UAk.exe 1 9->19         started        93 Antivirus detection for dropped file 12->93 95 Multi AV Scanner detection for dropped file 12->95 22 491NQTf2bLchCkmdgftVL.exe 30 3 12->22         started        26 lsass.exe 17->26         started        28 rtmMHa0BWlpA85TNdBHIgNm.exe 17->28         started        30 lfnFDt8gm6IBqNLp0bwUZwq.exe 17->30         started        signatures6 process7 dnsIp8 51 C:\Users\user\Desktop\temp_8732.exe, PE32 19->51 dropped 32 temp_8732.exe 10 21 19->32         started        73 104.21.16.1, 443, 55547 CLOUDFLARENETUS United States 22->73 53 C:\...\491NQTf2bLchCkmdgftVL.exe, PE32 22->53 dropped 55 C:\...\491NQTf2bLchCkmdgftVL.exe, PE32 22->55 dropped 89 Tries to harvest and steal browser information (history, passwords, etc) 22->89 91 Tries to steal Crypto Currency Wallets 22->91 37 491NQTf2bLchCkmdgftVL.exe 22->37         started        39 491NQTf2bLchCkmdgftVL.exe 22->39         started        file9 signatures10 process11 dnsIp12 65 dns.google 8.8.4.4, 443, 55544, 55545 GOOGLEUS United States 32->65 67 8.8.8.8, 443, 64478 GOOGLEUS United States 32->67 69 104.21.48.1, 443, 64480 CLOUDFLARENETUS United States 32->69 43 C:\Users\user\...\P6N7ghBP83UmEuzkcpqzYu.exe, PE32 32->43 dropped 45 C:\Users\user\...\491NQTf2bLchCkmdgftVL.exe, PE32 32->45 dropped 47 C:\Users\user\AppData\...\LNQCarbpoC66.exe, PE32 32->47 dropped 49 7 other malicious files 32->49 dropped 75 Found many strings related to Crypto-Wallets (likely being stolen) 32->75 77 Creates multiple autostart registry keys 32->77 79 Drops PE files with benign system names 32->79 41 o5S1UjBuo.exe 32->41         started        file13 signatures14 process15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e7b188c6d45bfa86305ed3932a87b1780d114571d5b19aed4ed4d1dd66359382
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/d8e4cecc57dd2c846d3b1e5725a10c41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7b188c6d45bfa86305ed3932a87b1780d114571d5b19aed4ed4d1dd66359382/
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-08-27 10:33:10 UTC
File Type:
PE+ (Exe)
Extracted files:
1022
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=46yyrrwulp5immc62ojsvb5rpagrcrlr2wyzv3ko2ti52zrvsoba._file
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer discovery pyinstaller stealer upx
Link:
https://tria.ge/reports/250903-gnvlpsgl5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
UPX packed file
Executes dropped EXE
Loads dropped DLL
Detect SalatStealer payload
Salatstealer family
salatstealer
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e999ef8d-a040-4f59-bc98-19318ea95d34
Unpacked files
SH256 hash:
007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe
MD5 hash:
8d4805f0651186046c48d3e2356623db
SHA1 hash:
18c27c000384418abcf9c88a72f3d55d83beda91
Link:
https://www.unpac.me/results/b88a9eee-e12a-47e2-a8d8-e2b6235cefdc/
SH256 hash:
e7b188c6d45bfa86305ed3932a87b1780d114571d5b19aed4ed4d1dd66359382
MD5 hash:
d8e4cecc57dd2c846d3b1e5725a10c41
SHA1 hash:
c4830452ba1dffad3567835f613300d45b7466e8
Link:
https://www.unpac.me/results/b88a9eee-e12a-47e2-a8d8-e2b6235cefdc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7b188c6d45bfa86305ed3932a87b1780d114571d5b19aed4ed4d1dd66359382

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/24847/

Comments