Overview

overview

10

Static

static

10

e1dcb9ba72...29.exe

windows7-x64

3

e1dcb9ba72...29.exe

windows10-2004-x64

3

e2071b429e...5c.exe

windows7-x64

10

e2071b429e...5c.exe

windows10-2004-x64

10

e249dbf0ac...f4.exe

windows7-x64

8

e249dbf0ac...f4.exe

windows10-2004-x64

8

e277271cc7...e8.exe

windows7-x64

10

e277271cc7...e8.exe

windows10-2004-x64

10

e282def0d2...89.exe

windows7-x64

10

e282def0d2...89.exe

windows10-2004-x64

10

e29645b977...39.exe

windows7-x64

7

e29645b977...39.exe

windows10-2004-x64

7

e2bfb9c5da...0c.exe

windows7-x64

1

e2bfb9c5da...0c.exe

windows10-2004-x64

1

e316eea789...fa.exe

windows7-x64

1

e316eea789...fa.exe

windows10-2004-x64

1

e3250ba3e9...f9.exe

windows7-x64

10

e3250ba3e9...f9.exe

windows10-2004-x64

10

e34a914ca2...b1.exe

windows7-x64

10

e34a914ca2...b1.exe

windows10-2004-x64

10

e37b2913aa...c6.exe

windows7-x64

10

e37b2913aa...c6.exe

windows10-2004-x64

10

e37c63b72b...0d.exe

windows7-x64

10

e37c63b72b...0d.exe

windows10-2004-x64

10

e37cf80804...e0.exe

windows7-x64

10

e37cf80804...e0.exe

windows10-2004-x64

10

e3a2f6c598...82.exe

windows7-x64

1

e3a2f6c598...82.exe

windows10-2004-x64

1

e3a86fc42d...62.exe

windows7-x64

9

e3a86fc42d...62.exe

windows10-2004-x64

9

e3e3053d34...10.exe

windows7-x64

10

e3e3053d34...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3e3053d342cd6eb6834eca2d1c506b65d8e459b4e336fcee977e17f3fb6a910.exe

  • Size

    3.2MB

  • MD5

    fdfe8313374cc5b208a194f2361d06b1

  • SHA1

    f9d3ca1caf3fdafc2ced50709345811110c5a8cc

  • SHA256

    e3e3053d342cd6eb6834eca2d1c506b65d8e459b4e336fcee977e17f3fb6a910

  • SHA512

    01b650c9474e289f3dd3c891cee0093ec75806e33a5536e5fcc3202c1f5bf9e6a8fdd8b98b5788764a37c27111decef6fc814ce13cfbeb9ac66de577be823001

  • SSDEEP

    98304:eAgOjoXMv34ssQQFTyEw33qGEZZ5Eq6ea:V/wNTyEw3tEZXV6e

Score
10/10
salatstealercredential_accessdiscoveryspywarestealerupx

Malware Config

Signatures

  • Detect SalatStealer payload 18 IoCs
  • Salatstealer family
    salatstealer
  • salatstealer

    SalatStealer is a stealer that takes sceenshot written in Golang.

    stealersalatstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3e3053d342cd6eb6834eca2d1c506b65d8e459b4e336fcee977e17f3fb6a910.exe
    "C:\Users\Admin\AppData\Local\Temp\e3e3053d342cd6eb6834eca2d1c506b65d8e459b4e336fcee977e17f3fb6a910.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Users\Admin\AppData\Local\Temp\Xeno.exe
      "C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Program Files (x86)\Microsoft.NET\lsass.exe
        "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Program Files\Google\Chrome\Application\lsass.exe
          "C:\Program Files\Google\Chrome\Application\lsass.exe" -
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:5868
        • C:\Program Files (x86)\Microsoft\Edge\Application\lsass.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\lsass.exe" -
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3620
    • C:\Users\Admin\AppData\Local\Temp\Xenocheat.exe
      "C:\Users\Admin\AppData\Local\Temp\Xenocheat.exe"
      2⤵
      • Executes dropped EXE
      PID:2376
  • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
    1⤵
      PID:2108
    • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
      1⤵
        PID:4020

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Xeno.exe
        Filesize

        3.1MB

        MD5

        8899e5f3f8a07920e0e1b17b9ee5c94d

        SHA1

        9a2f8f62a289c2460e08083af062be9ce0901e5b

        SHA256

        ec6e522cff0e048fc398894d13600f4b02b77ba952a7499f2b3a21422fc52171

        SHA512

        f89197aadac1403c4776afe699570d8564b20e98f43202949f593c8e4f87d6f272cbaaed6caf4e0aad5033dfc0dc311735c21bb764fcf18f216325f4de0c39d5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Xenocheat.exe
        Filesize

        140KB

        MD5

        70797e0760472325728ba786ca208976

        SHA1

        8912f23afbe8b78a9582f2a458b89a7fd697e638

        SHA256

        20744d38bc27d656a095e57bef62a44f5f6317de3672020e8a4a1e1057545764

        SHA512

        787f172cbc18eeb4f8e88420377459f37918edc9aec0105566f9e79555a962d6e89d7d0d6b791475282b2c5fb093c9e85544794639ad2771d9ca4a0e5b456477

        Download Submit

      • memory/2592-55-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-58-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-61-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-60-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-59-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-48-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-33-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-57-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-56-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-52-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-51-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-46-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-47-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-49-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-54-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2592-50-0x0000000000030000-0x0000000000BAC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/3620-45-0x0000000000A10000-0x000000000158C000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/3620-44-0x0000000000A10000-0x000000000158C000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/4720-1-0x0000000000A50000-0x0000000000D88000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/4720-7-0x00007FF9692F0000-0x00007FF969DB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4720-0-0x00007FF9692F3000-0x00007FF9692F5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4720-23-0x00007FF9692F0000-0x00007FF969DB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4868-24-0x00000000000B0000-0x0000000000C2C000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/4868-32-0x00000000000B0000-0x0000000000C2C000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/5868-39-0x0000000000780000-0x00000000012FC000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/5868-38-0x0000000000780000-0x00000000012FC000-memory.dmp

        Filesize

        11.5MB

        Download