Overview

overview

10

Static

static

5

tx_1743020207149.exe

windows10-ltsc_2021-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    19s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    26/03/2025, 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tx_1743020207149.exe

  • Size

    3.1MB

  • MD5

    f01179a4c7dd4d8f7d2cccce3025267c

  • SHA1

    6f23d8676801aa1e3c192318163ffdf5087d503a

  • SHA256

    b7597e2e5b19ce1d48f5e615d996523e32bc3ac069e2472305d52d667f7291f1

  • SHA512

    56faf1cdbaf861c85963f32e0adfcd6e66d4fc000abb1622f1f0f6065955a7b28efc30081ee3b7c7cdf9c91fba78795f60ae997688bcd5bb25d1f51a527f035d

  • SSDEEP

    49152:pP28sD83LJOqGB5YUpIoIPiPoCWW+OUH1+GHe8S3ldXRtkFonsUV/0O+ad2VRRvk:puv0chLXG5d+nRgMb1kjS

Score
10/10
salatstealerdiscoverystealerupx

Malware Config

Signatures

  • Detect SalatStealer payload 3 IoCs
  • Salatstealer family
    salatstealer
  • salatstealer

    SalatStealer is a stealer that takes sceenshot written in Golang.

    stealersalatstealer
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tx_1743020207149.exe
    "C:\Users\Admin\AppData\Local\Temp\tx_1743020207149.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5844
    • C:\Users\Admin\AppData\Local\Comms\upfc.exe
      C:\Users\Admin\AppData\Local\Comms\upfc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft.NET\csrss.exe
    Filesize

    3.1MB

    MD5

    f01179a4c7dd4d8f7d2cccce3025267c

    SHA1

    6f23d8676801aa1e3c192318163ffdf5087d503a

    SHA256

    b7597e2e5b19ce1d48f5e615d996523e32bc3ac069e2472305d52d667f7291f1

    SHA512

    56faf1cdbaf861c85963f32e0adfcd6e66d4fc000abb1622f1f0f6065955a7b28efc30081ee3b7c7cdf9c91fba78795f60ae997688bcd5bb25d1f51a527f035d

    Download Submit

  • memory/2980-16-0x00000000006B0000-0x000000000122D000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2980-18-0x00000000006B0000-0x000000000122D000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2980-19-0x00000000006B0000-0x000000000122D000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/5844-0-0x0000000000530000-0x00000000010AD000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/5844-17-0x0000000000530000-0x00000000010AD000-memory.dmp

    Filesize

    11.5MB

    Download