salatstealer | d3cbf9defea0f29575828ed5b4484fa1bc1ce9ac2a0a994ccb34ed569ff96829

General

Target

Zimoria.rar
Size

17.3MB
MD5

0096f7923b82522041a34fecce24057b
SHA1

25407f16e5b0df74d594e9af3e7f33681784d376
SHA256

d3cbf9defea0f29575828ed5b4484fa1bc1ce9ac2a0a994ccb34ed569ff96829
SHA512

403a4042363abf09cbb8a4413dcf94079665b3fd90201cdbc297a1f5429befaab0477db644565f5004c5a3988cd75aa7b73443396f70f9ad050db8a0145b8ab1
SSDEEP

393216:qJZVpbjl492zBbcov9raMWJXaUWo6gOKrgwtaWdzwOpg8We/9JzaR:+KoCovJaMW8UWo6bu7HHpG2TE

Score

10^/10

salatstealer discovery pyinstaller stealer upx

Malware Config

Signatures

Detect SalatStealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/2920-50-0x00000000001D0000-0x0000000000D4D000-memory.dmp	family_salatstealer

Salatstealer family
salatstealer
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
stealer salatstealer

Executes dropped EXE 7 IoCs

pid	Process
1716	Zimoria.exe
2772	Zimoria.exe
2920	System.exe
2952	lib.exe
2840	áàçû äàííûõ.exe
2832	êîìïîíåíòû.exe
3000	êîìïîíåíòû.exe

Loads dropped DLL 10 IoCs

pid	Process
1716	Zimoria.exe
1716	Zimoria.exe
1716	Zimoria.exe
1716	Zimoria.exe
2772	Zimoria.exe
2952	lib.exe
1716	Zimoria.exe
2832	êîìïîíåíòû.exe
3000	êîìïîíåíòû.exe
1180	Process not Found

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1716-34-0x0000000004920000-0x000000000549D000-memory.dmp	upx
behavioral1/files/0x0008000000015d19-21.dat	upx
behavioral1/memory/2920-38-0x00000000001D0000-0x0000000000D4D000-memory.dmp	upx
behavioral1/memory/2920-50-0x00000000001D0000-0x0000000000D4D000-memory.dmp	upx
behavioral1/files/0x000500000001a301-105.dat	upx
behavioral1/memory/3000-107-0x000007FEF41F0000-0x000007FEF47D8000-memory.dmp	upx

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000b000000015cdd-4.dat	pyinstaller
behavioral1/files/0x00050000000186c8-55.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zimoria.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2224	7zFM.exe
2224	7zFM.exe
2224	7zFM.exe
2224	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2224	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2224	7zFM.exe
Token: 35	2224	7zFM.exe
Token: SeSecurityPrivilege	2224	7zFM.exe
Token: SeSecurityPrivilege	2224	7zFM.exe
Token: SeSecurityPrivilege	2224	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2224	7zFM.exe
2224	7zFM.exe
2224	7zFM.exe
2224	7zFM.exe
2224	7zFM.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1716	2224	7zFM.exe	31
PID 2224 wrote to memory of 1716	2224	7zFM.exe	31
PID 2224 wrote to memory of 1716	2224	7zFM.exe	31
PID 2224 wrote to memory of 1716	2224	7zFM.exe	31
PID 1716 wrote to memory of 2772	1716	Zimoria.exe	32
PID 1716 wrote to memory of 2772	1716	Zimoria.exe	32
PID 1716 wrote to memory of 2772	1716	Zimoria.exe	32
PID 1716 wrote to memory of 2772	1716	Zimoria.exe	32
PID 1716 wrote to memory of 2920	1716	Zimoria.exe	34
PID 1716 wrote to memory of 2920	1716	Zimoria.exe	34
PID 1716 wrote to memory of 2920	1716	Zimoria.exe	34
PID 1716 wrote to memory of 2920	1716	Zimoria.exe	34
PID 2772 wrote to memory of 2952	2772	Zimoria.exe	36
PID 2772 wrote to memory of 2952	2772	Zimoria.exe	36
PID 2772 wrote to memory of 2952	2772	Zimoria.exe	36
PID 1716 wrote to memory of 2840	1716	Zimoria.exe	35
PID 1716 wrote to memory of 2840	1716	Zimoria.exe	35
PID 1716 wrote to memory of 2840	1716	Zimoria.exe	35
PID 1716 wrote to memory of 2840	1716	Zimoria.exe	35
PID 1716 wrote to memory of 2832	1716	Zimoria.exe	37
PID 1716 wrote to memory of 2832	1716	Zimoria.exe	37
PID 1716 wrote to memory of 2832	1716	Zimoria.exe	37
PID 1716 wrote to memory of 2832	1716	Zimoria.exe	37
PID 2832 wrote to memory of 3000	2832	êîìïîíåíòû.exe	38
PID 2832 wrote to memory of 3000	2832	êîìïîíåíòû.exe	38
PID 2832 wrote to memory of 3000	2832	êîìïîíåíòû.exe	38

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Zimoria.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\7zO0B89D967\Zimoria.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0B89D967\Zimoria.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\Zimoria.exe
    "C:\Users\Admin\AppData\Local\Temp\Zimoria.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2772_133870673180182000\lib.exe
      "C:\Users\Admin\AppData\Local\Temp\Zimoria.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2952
- - C:\Users\Admin\AppData\Local\Temp\System.exe
    "C:\Users\Admin\AppData\Local\Temp\System.exe"
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\áàçû äàííûõ.exe
    "C:\Users\Admin\AppData\Local\Temp\áàçû äàííûõ.exe"
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\êîìïîíåíòû.exe
    "C:\Users\Admin\AppData\Local\Temp\êîìïîíåíòû.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\êîìïîíåíòû.exe
      "C:\Users\Admin\AppData\Local\Temp\êîìïîíåíòû.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO0B89D967\Zimoria.exe

Filesize
18.0MB

MD5
aaf9053a11df749fca2386d998748808

SHA1
8efd43ed12e5173b6447626957bbcfe47eb46af4

SHA256
7558f317862440cc8603c6a9e9626b7f17c9ae94874f3cbabdb94431237a56ff

SHA512
7f68c2180c454d4ced4caddece3e705af06eec487ae917fd8bb74f31ade9a08334b7b4810cae81c9850932c3837983c1300d2b9510c7746e304572dc2f621c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28322\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2772_133870673180182000\lib.exe

Filesize
4.3MB

MD5
7da6d0809eeb431e353637a6e7c54ea2

SHA1
2650b13c7df4e164b761277d2b5d280acb4af675

SHA256
cc41216611605d39d7ede4b9a513b9d62a2059220d0468f12f4896cbc71750f3

SHA512
c4379ea487c74b3c2bced4686f6e819e1495ec247a2122dd4e48533586c70fb9289c9f9dd76bbf33a1b08185bc379254264561f56c95a72f4acd63483077c82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2772_133870673180182000\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\êîìïîíåíòû.exe

Filesize
10.8MB

MD5
0e2c088f92873ec6bc59b562382fd2e1

SHA1
9d8775a6726c8478278e294193ea1ed1bdfd7c4d

SHA256
6f67b70be9736b65f275f7d7f989174e4e999e259087097dbca0cf2bbdc7eced

SHA512
47a03ce00dd53fe286c8cf92234aa1e086647cb145541f69fcc1161f0476e158eccfa8950159ec5322bf3e8f2f9051307df445e97f6b4b6f64b8d09e1d2a6c60

Download Submit
\Users\Admin\AppData\Local\Temp\System.exe

Filesize
3.1MB

MD5
b3ece9ad8ea53581d0a74e30ee610d83

SHA1
1ace9db5ab0021c39a0223c2097c8768cd0fbf60

SHA256
1371363f12a322ceb5065dff122def49fd371d96edbc96a419eb0b06784953ce

SHA512
1f2079e757ea84171030c68bd1e3a467f90f4fa464c602f5efbebe111fdb575cfc305ea0ca1051a5433151873c3f1983c0d944d2dda58c68e12584375ef3b79e

Download Submit
\Users\Admin\AppData\Local\Temp\Zimoria.exe

Filesize
3.4MB

MD5
109fc4bdf854a263314949538dcf720f

SHA1
189ac377f9c709c4fc5434ffcbd22cdf9ddeb0a4

SHA256
9b4c26558e35f2f0405bc354c19f0e28afb6e08ce39d840fa5aa4617dc4c61e7

SHA512
e41d08a1c6e07af0c984b26f574d78ae5eaee166bf69b2977103dd8ea60738a531735b3ab95bf8e153a76340ea4c4940d4f4ea4611af290a84296c33ff7911bc

Download Submit
\Users\Admin\AppData\Local\Temp\áàçû äàííûõ.exe

Filesize
490KB

MD5
7ed384c65110894f721c1adb5020b2e7

SHA1
dd9bfe4de5805141633636a41627fe1dc3e279c6

SHA256
034da4e765f19a63cee0bb24f21fb4f58d2f4429bb72df22fd586ae7b4ccc545

SHA512
a6b8e6e4bad2f8b36287258ec6afcfc22ccc702b8e49ae67b0d5d13efc5c532455f53942793ef5aad35230cd7762305e632cfc9f0e5cc399b35fbe07d644e6f9

Download Submit
memory/1716-35-0x0000000004920000-0x000000000549D000-memory.dmp

Filesize
11.5MB

Download
memory/1716-56-0x0000000000400000-0x00000000015FB000-memory.dmp

Filesize
18.0MB

Download
memory/1716-34-0x0000000004920000-0x000000000549D000-memory.dmp

Filesize
11.5MB

Download
memory/2772-116-0x000000013F030000-0x000000013F3B7000-memory.dmp

Filesize
3.5MB

Download
memory/2840-108-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2920-50-0x00000000001D0000-0x0000000000D4D000-memory.dmp

Filesize
11.5MB

Download
memory/2920-38-0x00000000001D0000-0x0000000000D4D000-memory.dmp

Filesize
11.5MB

Download
memory/2952-109-0x000000013F400000-0x000000013F85F000-memory.dmp

Filesize
4.4MB

Download
memory/3000-107-0x000007FEF41F0000-0x000007FEF47D8000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing