Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 22:52
Behavioral task
behavioral1
Sample
stand.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
stand.exe
Resource
win10v2004-20250314-en
General
-
Target
stand.exe
-
Size
17.8MB
-
MD5
4e45d159b2f482edac2ba45713c335a2
-
SHA1
1b97c1e523ed4add9d952842a920b0c42ceacfb4
-
SHA256
05ac40c0f8950fd6800e6663062d2a27cc466c5d3e2df8f50200fc1787e516f3
-
SHA512
2a041d04cb5be086bae31a49d9eec94187fbd7459803111017421fde76f968f6369c78060ccafb22a59781f55730f446343df104fd0383ac2b336411b3554ed6
-
SSDEEP
98304:QN4aC69mw0GrEW1bSc1AzMjir7ifGB0Kn9JtxTbF:Q270mw9bScyM4WObn9J3
Malware Config
Signatures
-
Detect SalatStealer payload 21 IoCs
resource yara_rule behavioral2/memory/4000-7-0x0000000000790000-0x000000000130F000-memory.dmp family_salatstealer behavioral2/memory/4976-33-0x00000000005E0000-0x000000000115F000-memory.dmp family_salatstealer behavioral2/memory/4760-44-0x0000000000630000-0x00000000011AF000-memory.dmp family_salatstealer behavioral2/memory/4524-75-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-76-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-81-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-82-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-83-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-84-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-85-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-87-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4624-92-0x0000000000A00000-0x000000000157F000-memory.dmp family_salatstealer behavioral2/memory/4524-90-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4624-93-0x0000000000A00000-0x000000000157F000-memory.dmp family_salatstealer behavioral2/memory/3768-94-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-95-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-96-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-97-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-98-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-99-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer behavioral2/memory/4524-100-0x0000000000970000-0x00000000014EF000-memory.dmp family_salatstealer -
Salatstealer family
-
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts powershell.exe -
Executes dropped EXE 5 IoCs
pid Process 4524 dwm.exe 4976 dwm.exe 4760 dwm.exe 3768 dwm.exe 4624 spoolsv.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Recovery ReAgentc.exe File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml ReAgentc.exe -
resource yara_rule behavioral2/memory/4000-0-0x0000000000790000-0x000000000130F000-memory.dmp upx behavioral2/files/0x000b0000000240c2-5.dat upx behavioral2/memory/4000-7-0x0000000000790000-0x000000000130F000-memory.dmp upx behavioral2/memory/4524-9-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4976-18-0x00000000005E0000-0x000000000115F000-memory.dmp upx behavioral2/memory/4976-33-0x00000000005E0000-0x000000000115F000-memory.dmp upx behavioral2/memory/4760-41-0x0000000000630000-0x00000000011AF000-memory.dmp upx behavioral2/memory/4760-44-0x0000000000630000-0x00000000011AF000-memory.dmp upx behavioral2/memory/4524-75-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-76-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-81-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-82-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-83-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-84-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-85-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-87-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4624-92-0x0000000000A00000-0x000000000157F000-memory.dmp upx behavioral2/memory/4524-90-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4624-93-0x0000000000A00000-0x000000000157F000-memory.dmp upx behavioral2/memory/3768-94-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-95-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-96-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-97-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-98-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-99-0x0000000000970000-0x00000000014EF000-memory.dmp upx behavioral2/memory/4524-100-0x0000000000970000-0x00000000014EF000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\WindowsPowerShell\888b6f6c-d2b4-57e5-6af8-8a82df046cd2 stand.exe File created C:\Program Files (x86)\WindowsPowerShell\dwm.exe stand.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\dwm.exe stand.exe File created C:\Program Files\Google\Chrome\Application\dwm.exe dwm.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\dwm.exe dwm.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml ReAgentc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ReAgentc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwm.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 4000 stand.exe 4000 stand.exe 4000 stand.exe 4000 stand.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4952 powershell.exe 4952 powershell.exe 4976 dwm.exe 4976 dwm.exe 4952 powershell.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4760 dwm.exe 4760 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4524 dwm.exe 4624 spoolsv.exe 4624 spoolsv.exe 3768 dwm.exe 3768 dwm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4524 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4952 powershell.exe Token: SeDebugPrivilege 4524 dwm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4000 wrote to memory of 4524 4000 stand.exe 92 PID 4000 wrote to memory of 4524 4000 stand.exe 92 PID 4000 wrote to memory of 4524 4000 stand.exe 92 PID 4524 wrote to memory of 4952 4524 dwm.exe 96 PID 4524 wrote to memory of 4952 4524 dwm.exe 96 PID 4524 wrote to memory of 4952 4524 dwm.exe 96 PID 4524 wrote to memory of 4976 4524 dwm.exe 98 PID 4524 wrote to memory of 4976 4524 dwm.exe 98 PID 4524 wrote to memory of 4976 4524 dwm.exe 98 PID 4524 wrote to memory of 4760 4524 dwm.exe 100 PID 4524 wrote to memory of 4760 4524 dwm.exe 100 PID 4524 wrote to memory of 4760 4524 dwm.exe 100 PID 4952 wrote to memory of 1168 4952 powershell.exe 103 PID 4952 wrote to memory of 1168 4952 powershell.exe 103 PID 4952 wrote to memory of 1168 4952 powershell.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\stand.exe"C:\Users\Admin\AppData\Local\Temp\stand.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Program Files (x86)\WindowsPowerShell\dwm.exe"C:\Program Files (x86)\WindowsPowerShell\dwm.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe3⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\ReAgentc.exe"C:\Windows\system32\ReAgentc.exe" /disable4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1168
-
-
-
C:\Program Files\Google\Chrome\Application\dwm.exe"C:\Program Files\Google\Chrome\Application\dwm.exe" -3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\dwm.exe"C:\Program Files (x86)\Microsoft\Edge\Application\dwm.exe" -3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4760
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:448
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:3984
-
C:\Program Files (x86)\WindowsPowerShell\dwm.exe"C:\Program Files (x86)\WindowsPowerShell\dwm.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3768
-
C:\Users\Admin\AppData\Local\Mozilla\spoolsv.exeC:\Users\Admin\AppData\Local\Mozilla\spoolsv.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17.8MB
MD54e45d159b2f482edac2ba45713c335a2
SHA11b97c1e523ed4add9d952842a920b0c42ceacfb4
SHA25605ac40c0f8950fd6800e6663062d2a27cc466c5d3e2df8f50200fc1787e516f3
SHA5122a041d04cb5be086bae31a49d9eec94187fbd7459803111017421fde76f968f6369c78060ccafb22a59781f55730f446343df104fd0383ac2b336411b3554ed6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82