salatstealer | 5ca343f5690462618535b682469b8f1c529ab42af9798e70fb606ac1581c045c

General

Target

Nursultan.exe
Size

3.1MB
MD5

8bca40ea81d28fe8c3a222c203269c47
SHA1

37dbba4939b2d93658254cb6c46be9647485e0f9
SHA256

5ca343f5690462618535b682469b8f1c529ab42af9798e70fb606ac1581c045c
SHA512

02bbc5601c8bd982eb1218325363a0a3ed02499d2bdb4b30d89958a65196d3f4e6d24f1305717c83ce42e1a0eb25e61129b72d12b94dc124edd0729a91cd41f0
SSDEEP

98304:0JoyKoyUJ/5m4i3s0SSmBk0z7janvHXig2:IoYyUJo4q5SSmu07jeHX

Score

10^/10

Malware Config

Signatures

Detect SalatStealer payload 8 IoCs

resource	yara_rule
behavioral2/memory/3544-15-0x00000000001C0000-0x0000000000D3C000-memory.dmp	family_salatstealer
behavioral2/memory/1036-16-0x0000000000400000-0x0000000000F7C000-memory.dmp	family_salatstealer
behavioral2/memory/1036-17-0x0000000000400000-0x0000000000F7C000-memory.dmp	family_salatstealer
behavioral2/memory/1036-18-0x0000000000400000-0x0000000000F7C000-memory.dmp	family_salatstealer
behavioral2/memory/1036-19-0x0000000000400000-0x0000000000F7C000-memory.dmp	family_salatstealer
behavioral2/memory/1036-21-0x0000000000400000-0x0000000000F7C000-memory.dmp	family_salatstealer
behavioral2/memory/1036-22-0x0000000000400000-0x0000000000F7C000-memory.dmp	family_salatstealer
behavioral2/memory/1036-23-0x0000000000400000-0x0000000000F7C000-memory.dmp	family_salatstealer

Salatstealer family
salatstealer
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
stealer salatstealer

Executes dropped EXE 1 IoCs

pid	Process
1036	RuntimeBroker.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3544-0-0x00000000001C0000-0x0000000000D3C000-memory.dmp	upx
behavioral2/files/0x000400000001dadb-5.dat	upx
behavioral2/memory/1036-14-0x0000000000400000-0x0000000000F7C000-memory.dmp	upx
behavioral2/memory/3544-15-0x00000000001C0000-0x0000000000D3C000-memory.dmp	upx
behavioral2/memory/1036-16-0x0000000000400000-0x0000000000F7C000-memory.dmp	upx
behavioral2/memory/1036-17-0x0000000000400000-0x0000000000F7C000-memory.dmp	upx
behavioral2/memory/1036-18-0x0000000000400000-0x0000000000F7C000-memory.dmp	upx
behavioral2/memory/1036-19-0x0000000000400000-0x0000000000F7C000-memory.dmp	upx
behavioral2/memory/1036-21-0x0000000000400000-0x0000000000F7C000-memory.dmp	upx
behavioral2/memory/1036-22-0x0000000000400000-0x0000000000F7C000-memory.dmp	upx
behavioral2/memory/1036-23-0x0000000000400000-0x0000000000F7C000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\taskhostw.exe	Nursultan.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\taskhostw.exe	Nursultan.exe
File created	C:\Program Files (x86)\Windows Portable Devices\448e1e0a-e1f7-c592-1b42-f145996a0ae1	Nursultan.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	Nursultan.exe
File created	C:\Program Files (x86)\Reference Assemblies\448e1e0a-e1f7-c592-1b42-f145996a0ae1	Nursultan.exe
File created	C:\Program Files (x86)\Reference Assemblies\csrss.exe	Nursultan.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\csrss.exe	Nursultan.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	Nursultan.exe
File created	C:\Program Files (x86)\Windows Mail\448e1e0a-e1f7-c592-1b42-f145996a0ae1	Nursultan.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nursultan.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3544	Nursultan.exe
3544	Nursultan.exe
3544	Nursultan.exe
3544	Nursultan.exe
1036	RuntimeBroker.exe
1036	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 1036	3544	Nursultan.exe	94
PID 3544 wrote to memory of 1036	3544	Nursultan.exe	94
PID 3544 wrote to memory of 1036	3544	Nursultan.exe	94

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
  "C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\explorer.exe

Filesize
3.1MB

MD5
8bca40ea81d28fe8c3a222c203269c47

SHA1
37dbba4939b2d93658254cb6c46be9647485e0f9

SHA256
5ca343f5690462618535b682469b8f1c529ab42af9798e70fb606ac1581c045c

SHA512
02bbc5601c8bd982eb1218325363a0a3ed02499d2bdb4b30d89958a65196d3f4e6d24f1305717c83ce42e1a0eb25e61129b72d12b94dc124edd0729a91cd41f0

Download Submit
memory/1036-14-0x0000000000400000-0x0000000000F7C000-memory.dmp

Filesize
11.5MB

Download
memory/1036-16-0x0000000000400000-0x0000000000F7C000-memory.dmp

Filesize
11.5MB

Download
memory/1036-17-0x0000000000400000-0x0000000000F7C000-memory.dmp

Filesize
11.5MB

Download
memory/1036-18-0x0000000000400000-0x0000000000F7C000-memory.dmp

Filesize
11.5MB

Download
memory/1036-19-0x0000000000400000-0x0000000000F7C000-memory.dmp

Filesize
11.5MB

Download
memory/1036-21-0x0000000000400000-0x0000000000F7C000-memory.dmp

Filesize
11.5MB

Download
memory/1036-22-0x0000000000400000-0x0000000000F7C000-memory.dmp

Filesize
11.5MB

Download
memory/1036-23-0x0000000000400000-0x0000000000F7C000-memory.dmp

Filesize
11.5MB

Download
memory/3544-0-0x00000000001C0000-0x0000000000D3C000-memory.dmp

Filesize
11.5MB

Download
memory/3544-15-0x00000000001C0000-0x0000000000D3C000-memory.dmp

Filesize
11.5MB

Download

Analysis

Sharing