MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0bed15538e01b50c19ae3e088d47786654370a1878ee9326ca5f5950ef9bc46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SalatStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0bed15538e01b50c19ae3e088d47786654370a1878ee9326ca5f5950ef9bc46
SHA3-384 hash: a1bd00f5789e6fcee56fab274ee135008a8e5a7e1a198f0064271b9131b3c6e0e351695bf7b049d38c99b3c9d4c726ce
SHA1 hash: 1edb1585a88cadf59216eb476e22763b0a816249
MD5 hash: 9afd22a4677e377b59db24a583efc56f
humanhash: happy-william-charlie-one
File name:Installer.exe
Download: download sample
Signature SalatStealer
Create hunting rule
File size:96'007'869 bytes
First seen:2026-01-10 12:07:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5d3ce44460b794187f3e238adc502a4 (1 x SalatStealer)
ssdeep 1572864:j689nV91g2bPVNqt1R7yGDZJKXY1i5FV8aslbrm5HfGzA+e4iUT2+:jFP1g2BNy1AGDZYXY6F25bSdTpi9
TLSH T192283356F2F901E8E07BC178CA5B5617EBB23859172097DB12648A692F37FE05E3E310
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
416
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/dd4ac137-f289-4d5b-9093-8417259f6334/
Malware family:
n/a
ID:
1
File name:
Installer.exe
Verdict:
Malicious activity
Analysis date:
2026-01-10 12:06:45 UTC
Tags:
evasion amsi-bypass wmi-base64 susp-powershell
Link:
https://app.any.run/tasks/ca315e42-10d6-4b1c-beae-c0f83a91717c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696240d7f50945831dffaacf
Tags:
malware
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Modifying a system file
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug fingerprint installer-heuristic microsoft_visual_cc overlay
Link:
https://www.filescan.io/uploads/696241551a20a4c87b1a5fd3/reports/3315970d-6c39-4d8c-99d1-57cee51787fe/overview
Verdict:
Suspicious
Labled as:
Win64/Agent_AGeneric.HFU trojan
Link:
https://www.hybrid-analysis.com/sample/f0bed15538e01b50c19ae3e088d47786654370a1878ee9326ca5f5950ef9bc46
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-10T09:05:00Z UTC
Last seen:
2026-01-11T02:49:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Dropper.MSIL.Agent.gen HEUR:Trojan.MSIL.Disdroth.gen Trojan.Win64.Agent.smeufp
Link:
https://opentip.kaspersky.com/f0bed15538e01b50c19ae3e088d47786654370a1878ee9326ca5f5950ef9bc46/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1847867
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Contains functionality to register a low level keyboard hook
Drops PE files to the document folder of the user
Drops PE files with benign system names
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1847867 Sample: Installer.exe Startdate: 10/01/2026 Architecture: WINDOWS Score: 100 129 msmgt.sbs 2->129 131 ip-api.com 2->131 133 3 other IPs or domains 2->133 143 Suricata IDS alerts for network traffic 2->143 145 Multi AV Scanner detection for submitted file 2->145 147 .NET source code contains very large array initializations 2->147 149 10 other signatures 2->149 12 msiexec.exe 317 272 2->12         started        15 Installer.exe 4 2->15         started        signatures3 process4 file5 109 C:\Program Files (x86)\Installer\Render.exe, PE32+ 12->109 dropped 111 C:\Program Files (x86)\...\wpfgfx_cor3.dll, PE32+ 12->111 dropped 113 C:\...\vcruntime140_cor3.dll, PE32+ 12->113 dropped 115 239 other files (none is malicious) 12->115 dropped 17 Render.exe 15 12->17         started        22 msiexec.exe 5 15->22         started        process6 dnsIp7 117 msmgt.sbs 91.214.78.169, 443, 49727, 49729 FOTONTELECOM-STUB-ASFOTONTELECOMRU Russian Federation 17->117 119 ip-api.com 208.95.112.1, 49725, 80 TUT-ASUS United States 17->119 121 api.ipify.org 172.67.74.152, 49724, 49726, 49728 CLOUDFLARENETUS United States 17->121 93 Win_Driver_SSL_support_v43.22.209.44.exe, PE32 17->93 dropped 95 Printer_Driver_SSL...t_v43.22.209.99.exe, PE32 17->95 dropped 151 Adds a directory exclusion to Windows Defender 17->151 24 Win_Driver_SSL_support_v43.22.209.44.exe 17->24         started        28 Printer_Driver_SSL_support_v43.22.209.99.exe 17->28         started        30 powershell.exe 8 23 17->30         started        32 4 other processes 17->32 153 Uses cmd line tools excessively to alter registry or file data 22->153 file8 signatures9 process10 file11 103 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 24->103 dropped 105 C:\Users\user\AppData\Local\Temp\...\main.bat, Unicode 24->105 dropped 107 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 24->107 dropped 157 Self deletion via cmd or bat file 24->157 159 Contains functionality to register a low level keyboard hook 24->159 34 cmd.exe 24->34         started        37 cmd.exe 28->37         started        161 Loading BitLocker PowerShell Module 30->161 39 conhost.exe 30->39         started        41 conhost.exe 32->41         started        43 conhost.exe 32->43         started        45 conhost.exe 32->45         started        47 conhost.exe 32->47         started        signatures12 process13 signatures14 49 Installer.exe 34->49         started        53 7z.exe 34->53         started        55 7z.exe 34->55         started        64 6 other processes 34->64 135 Uses cmd line tools excessively to alter registry or file data 37->135 58 svchost.exe 37->58         started        60 7z.exe 37->60         started        62 conhost.exe 37->62         started        66 6 other processes 37->66 process15 dnsIp16 123 109.172.46.120, 443 SUMTEL-AS-RIPEMoscowRussiaRU Russian Federation 49->123 125 dns.google 8.8.8.8, 443, 49760, 49762 GOOGLEUS United States 49->125 127 5 other IPs or domains 49->127 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->137 139 Drops PE files with benign system names 53->139 97 C:\Users\user\AppData\Local\...\Installer.exe, PE32 55->97 dropped 99 C:\ProgramData\...\lhhsgwktkatl.exe, PE32+ 58->99 dropped 141 Adds a directory exclusion to Windows Defender 58->141 68 powershell.exe 58->68         started        71 cmd.exe 58->71         started        73 sc.exe 58->73         started        75 6 other processes 58->75 101 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 60->101 dropped file17 signatures18 process19 signatures20 155 Loading BitLocker PowerShell Module 68->155 77 conhost.exe 68->77         started        79 conhost.exe 71->79         started        81 wusa.exe 71->81         started        83 conhost.exe 73->83         started        85 conhost.exe 75->85         started        87 conhost.exe 75->87         started        89 conhost.exe 75->89         started        91 3 other processes 75->91 process21
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f0bed15538e01b50c19ae3e088d47786654370a1878ee9326ca5f5950ef9bc46
Gathering data
Verdict:
Malicious
Threat:
Trojan.MSIL.Disdroth
Link:
https://tip.neiki.dev/file/f0bed15538e01b50c19ae3e088d47786654370a1878ee9326ca5f5950ef9bc46
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-10 12:06:45 UTC
File Type:
PE+ (Exe)
Extracted files:
576
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6c7ncvjy4anvbqm24pqirvdxqzsug4fbq6hosmtmux2zkdxzxrda._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
ransomware
Link:
https://tria.ge/reports/260110-pbcjcsew2b/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/220c8808-c17d-4245-8e41-10424f854ff2
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0bed15538e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SalatStealer

Executable exe f0bed15538e01b50c19ae3e088d47786654370a1878ee9326ca5f5950ef9bc46

(this sample)

CoinMiner

Executable exe 91781da6c1db66ebd379e2008b897729ef011d064770a50d3acdaf01f2e95850

  
Dropping
SHA256 91781da6c1db66ebd379e2008b897729ef011d064770a50d3acdaf01f2e95850
  
Dropping
MD5 0e9b3120bc58a577668e7bd8ce5e72b7
  
Dropping
SHA256 8efb10bafc3b2f12d043d60d4c9009ebcde06f7388d8cd8042271bfa2da4b9da
  
Dropping
MD5 f5ecd9cd6912b8c5d61f5dda1b4c8c64

Comments