salatstealer | 7558f317862440cc8603c6a9e9626b7f17c9ae94874f3cbabdb94431237a56ff

General

Target

Zimoria.exe
Size

18.0MB
MD5

aaf9053a11df749fca2386d998748808
SHA1

8efd43ed12e5173b6447626957bbcfe47eb46af4
SHA256

7558f317862440cc8603c6a9e9626b7f17c9ae94874f3cbabdb94431237a56ff
SHA512

7f68c2180c454d4ced4caddece3e705af06eec487ae917fd8bb74f31ade9a08334b7b4810cae81c9850932c3837983c1300d2b9510c7746e304572dc2f621c9a
SSDEEP

393216:brk9XZNyeK/2OXVP5nPi1m1Nqao+9/pWFGRZ0br2W673KHa:yZkeK/7XDPMm1Njo+9/pWNW366

Score

10^/10

salatstealer discovery pyinstaller stealer upx

Malware Config

Signatures

Detect SalatStealer payload 1 IoCs

resource	yara_rule
behavioral4/memory/2792-50-0x0000000000D80000-0x00000000018FD000-memory.dmp	family_salatstealer

Salatstealer family
salatstealer
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
stealer salatstealer

Executes dropped EXE 5 IoCs

pid	Process
2792	System.exe
1484	áàçû äàííûõ.exe
3052	êîìïîíåíòû.exe
2644	êîìïîíåíòû.exe
1188	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
2892	Zimoria.exe
2892	Zimoria.exe
2892	Zimoria.exe
2892	Zimoria.exe
3052	êîìïîíåíòû.exe
2644	êîìïîíåíòû.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000d000000012263-2.dat	upx
behavioral4/memory/2892-11-0x0000000004210000-0x0000000004D8D000-memory.dmp	upx
behavioral4/memory/2792-14-0x0000000000D80000-0x00000000018FD000-memory.dmp	upx
behavioral4/memory/2792-50-0x0000000000D80000-0x00000000018FD000-memory.dmp	upx
behavioral4/files/0x000500000001a4b4-76.dat	upx
behavioral4/memory/2644-78-0x000007FEF3B50000-0x000007FEF4138000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral4/files/0x000700000001932a-20.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zimoria.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2792	2892	Zimoria.exe	30
PID 2892 wrote to memory of 2792	2892	Zimoria.exe	30
PID 2892 wrote to memory of 2792	2892	Zimoria.exe	30
PID 2892 wrote to memory of 2792	2892	Zimoria.exe	30
PID 2892 wrote to memory of 1484	2892	Zimoria.exe	31
PID 2892 wrote to memory of 1484	2892	Zimoria.exe	31
PID 2892 wrote to memory of 1484	2892	Zimoria.exe	31
PID 2892 wrote to memory of 1484	2892	Zimoria.exe	31
PID 2892 wrote to memory of 3052	2892	Zimoria.exe	32
PID 2892 wrote to memory of 3052	2892	Zimoria.exe	32
PID 2892 wrote to memory of 3052	2892	Zimoria.exe	32
PID 2892 wrote to memory of 3052	2892	Zimoria.exe	32
PID 3052 wrote to memory of 2644	3052	êîìïîíåíòû.exe	33
PID 3052 wrote to memory of 2644	3052	êîìïîíåíòû.exe	33
PID 3052 wrote to memory of 2644	3052	êîìïîíåíòû.exe	33

C:\Users\Admin\AppData\Local\Temp\Zimoria.exe
"C:\Users\Admin\AppData\Local\Temp\Zimoria.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\áàçû äàííûõ.exe
  "C:\Users\Admin\AppData\Local\Temp\áàçû äàííûõ.exe"
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\êîìïîíåíòû.exe
  "C:\Users\Admin\AppData\Local\Temp\êîìïîíåíòû.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\êîìïîíåíòû.exe
    "C:\Users\Admin\AppData\Local\Temp\êîìïîíåíòû.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI30522\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\áàçû äàííûõ.exe

Filesize
490KB

MD5
7ed384c65110894f721c1adb5020b2e7

SHA1
dd9bfe4de5805141633636a41627fe1dc3e279c6

SHA256
034da4e765f19a63cee0bb24f21fb4f58d2f4429bb72df22fd586ae7b4ccc545

SHA512
a6b8e6e4bad2f8b36287258ec6afcfc22ccc702b8e49ae67b0d5d13efc5c532455f53942793ef5aad35230cd7762305e632cfc9f0e5cc399b35fbe07d644e6f9

Download Submit
\Users\Admin\AppData\Local\Temp\System.exe

Filesize
3.1MB

MD5
b3ece9ad8ea53581d0a74e30ee610d83

SHA1
1ace9db5ab0021c39a0223c2097c8768cd0fbf60

SHA256
1371363f12a322ceb5065dff122def49fd371d96edbc96a419eb0b06784953ce

SHA512
1f2079e757ea84171030c68bd1e3a467f90f4fa464c602f5efbebe111fdb575cfc305ea0ca1051a5433151873c3f1983c0d944d2dda58c68e12584375ef3b79e

Download Submit
\Users\Admin\AppData\Local\Temp\êîìïîíåíòû.exe

Filesize
10.8MB

MD5
0e2c088f92873ec6bc59b562382fd2e1

SHA1
9d8775a6726c8478278e294193ea1ed1bdfd7c4d

SHA256
6f67b70be9736b65f275f7d7f989174e4e999e259087097dbca0cf2bbdc7eced

SHA512
47a03ce00dd53fe286c8cf92234aa1e086647cb145541f69fcc1161f0476e158eccfa8950159ec5322bf3e8f2f9051307df445e97f6b4b6f64b8d09e1d2a6c60

Download Submit
memory/1484-51-0x0000000000F00000-0x0000000000F80000-memory.dmp

Filesize
512KB

Download
memory/2644-78-0x000007FEF3B50000-0x000007FEF4138000-memory.dmp

Filesize
5.9MB

Download
memory/2792-14-0x0000000000D80000-0x00000000018FD000-memory.dmp

Filesize
11.5MB

Download
memory/2792-50-0x0000000000D80000-0x00000000018FD000-memory.dmp

Filesize
11.5MB

Download
memory/2892-11-0x0000000004210000-0x0000000004D8D000-memory.dmp

Filesize
11.5MB

Download
memory/2892-19-0x0000000004210000-0x0000000004D8D000-memory.dmp

Filesize
11.5MB

Download
memory/2892-24-0x0000000000400000-0x00000000015FB000-memory.dmp

Filesize
18.0MB

Download

Analysis

Sharing