salatstealer | 05ac40c0f8950fd6800e6663062d2a27cc466c5d3e2df8f50200fc1787e516f3

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stand.exe
Size

17.8MB
MD5

4e45d159b2f482edac2ba45713c335a2
SHA1

1b97c1e523ed4add9d952842a920b0c42ceacfb4
SHA256

05ac40c0f8950fd6800e6663062d2a27cc466c5d3e2df8f50200fc1787e516f3
SHA512

2a041d04cb5be086bae31a49d9eec94187fbd7459803111017421fde76f968f6369c78060ccafb22a59781f55730f446343df104fd0383ac2b336411b3554ed6
SSDEEP

98304:QN4aC69mw0GrEW1bSc1AzMjir7ifGB0Kn9JtxTbF:Q270mw9bScyM4WObn9J3

Score

10^/10

salatstealer credential_access discovery spyware stealer upx

Malware Config

Signatures

Detect SalatStealer payload 21 IoCs

resource	yara_rule
behavioral2/memory/4000-7-0x0000000000790000-0x000000000130F000-memory.dmp	family_salatstealer
behavioral2/memory/4976-33-0x00000000005E0000-0x000000000115F000-memory.dmp	family_salatstealer
behavioral2/memory/4760-44-0x0000000000630000-0x00000000011AF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-75-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-76-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-81-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-82-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-83-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-84-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-85-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-87-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4624-92-0x0000000000A00000-0x000000000157F000-memory.dmp	family_salatstealer
behavioral2/memory/4524-90-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4624-93-0x0000000000A00000-0x000000000157F000-memory.dmp	family_salatstealer
behavioral2/memory/3768-94-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-95-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-96-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-97-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-98-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-99-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer
behavioral2/memory/4524-100-0x0000000000970000-0x00000000014EF000-memory.dmp	family_salatstealer

Salatstealer family
salatstealer
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
stealer salatstealer

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
4524	dwm.exe
4976	dwm.exe
4760	dwm.exe
3768	dwm.exe
4624	spoolsv.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\ReAgent.xml	ReAgentc.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4000-0-0x0000000000790000-0x000000000130F000-memory.dmp	upx
behavioral2/files/0x000b0000000240c2-5.dat	upx
behavioral2/memory/4000-7-0x0000000000790000-0x000000000130F000-memory.dmp	upx
behavioral2/memory/4524-9-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4976-18-0x00000000005E0000-0x000000000115F000-memory.dmp	upx
behavioral2/memory/4976-33-0x00000000005E0000-0x000000000115F000-memory.dmp	upx
behavioral2/memory/4760-41-0x0000000000630000-0x00000000011AF000-memory.dmp	upx
behavioral2/memory/4760-44-0x0000000000630000-0x00000000011AF000-memory.dmp	upx
behavioral2/memory/4524-75-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-76-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-81-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-82-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-83-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-84-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-85-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-87-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4624-92-0x0000000000A00000-0x000000000157F000-memory.dmp	upx
behavioral2/memory/4524-90-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4624-93-0x0000000000A00000-0x000000000157F000-memory.dmp	upx
behavioral2/memory/3768-94-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-95-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-96-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-97-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-98-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-99-0x0000000000970000-0x00000000014EF000-memory.dmp	upx
behavioral2/memory/4524-100-0x0000000000970000-0x00000000014EF000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\888b6f6c-d2b4-57e5-6af8-8a82df046cd2	stand.exe
File created	C:\Program Files (x86)\WindowsPowerShell\dwm.exe	stand.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\dwm.exe	stand.exe
File created	C:\Program Files\Google\Chrome\Application\dwm.exe	dwm.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\dwm.exe	dwm.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReAgentc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwm.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
4000	stand.exe
4000	stand.exe
4000	stand.exe
4000	stand.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4952	powershell.exe
4952	powershell.exe
4976	dwm.exe
4976	dwm.exe
4952	powershell.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4760	dwm.exe
4760	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4524	dwm.exe
4624	spoolsv.exe
4624	spoolsv.exe
3768	dwm.exe
3768	dwm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4524	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4524	dwm.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4524	4000	stand.exe	92
PID 4000 wrote to memory of 4524	4000	stand.exe	92
PID 4000 wrote to memory of 4524	4000	stand.exe	92
PID 4524 wrote to memory of 4952	4524	dwm.exe	96
PID 4524 wrote to memory of 4952	4524	dwm.exe	96
PID 4524 wrote to memory of 4952	4524	dwm.exe	96
PID 4524 wrote to memory of 4976	4524	dwm.exe	98
PID 4524 wrote to memory of 4976	4524	dwm.exe	98
PID 4524 wrote to memory of 4976	4524	dwm.exe	98
PID 4524 wrote to memory of 4760	4524	dwm.exe	100
PID 4524 wrote to memory of 4760	4524	dwm.exe	100
PID 4524 wrote to memory of 4760	4524	dwm.exe	100
PID 4952 wrote to memory of 1168	4952	powershell.exe	103
PID 4952 wrote to memory of 1168	4952	powershell.exe	103
PID 4952 wrote to memory of 1168	4952	powershell.exe	103

C:\Users\Admin\AppData\Local\Temp\stand.exe
"C:\Users\Admin\AppData\Local\Temp\stand.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Program Files (x86)\WindowsPowerShell\dwm.exe
  "C:\Program Files (x86)\WindowsPowerShell\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Drops file in Drivers directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\SysWOW64\ReAgentc.exe
      "C:\Windows\system32\ReAgentc.exe" /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1168
- - C:\Program Files\Google\Chrome\Application\dwm.exe
    "C:\Program Files\Google\Chrome\Application\dwm.exe" -
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4976
- - C:\Program Files (x86)\Microsoft\Edge\Application\dwm.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\dwm.exe" -
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4760

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:448

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3984

C:\Program Files (x86)\WindowsPowerShell\dwm.exe
"C:\Program Files (x86)\WindowsPowerShell\dwm.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3768

C:\Users\Admin\AppData\Local\Mozilla\spoolsv.exe
C:\Users\Admin\AppData\Local\Mozilla\spoolsv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\dwm.exe

Filesize
17.8MB

MD5
4e45d159b2f482edac2ba45713c335a2

SHA1
1b97c1e523ed4add9d952842a920b0c42ceacfb4

SHA256
05ac40c0f8950fd6800e6663062d2a27cc466c5d3e2df8f50200fc1787e516f3

SHA512
2a041d04cb5be086bae31a49d9eec94187fbd7459803111017421fde76f968f6369c78060ccafb22a59781f55730f446343df104fd0383ac2b336411b3554ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0mvf4zk.0gw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3768-94-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4000-7-0x0000000000790000-0x000000000130F000-memory.dmp

Filesize
11.5MB

Download
memory/4000-0-0x0000000000790000-0x000000000130F000-memory.dmp

Filesize
11.5MB

Download
memory/4524-90-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-83-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-97-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-96-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-95-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-99-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-75-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-100-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-9-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-76-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-87-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-85-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-84-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-98-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-81-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4524-82-0x0000000000970000-0x00000000014EF000-memory.dmp

Filesize
11.5MB

Download
memory/4624-92-0x0000000000A00000-0x000000000157F000-memory.dmp

Filesize
11.5MB

Download
memory/4624-93-0x0000000000A00000-0x000000000157F000-memory.dmp

Filesize
11.5MB

Download
memory/4760-44-0x0000000000630000-0x00000000011AF000-memory.dmp

Filesize
11.5MB

Download
memory/4760-41-0x0000000000630000-0x00000000011AF000-memory.dmp

Filesize
11.5MB

Download
memory/4952-56-0x0000000070450000-0x000000007049C000-memory.dmp

Filesize
304KB

Download
memory/4952-79-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-55-0x0000000007680000-0x00000000076B2000-memory.dmp

Filesize
200KB

Download
memory/4952-48-0x0000000007440000-0x0000000007462000-memory.dmp

Filesize
136KB

Download
memory/4952-57-0x0000000070C10000-0x0000000070F64000-memory.dmp

Filesize
3.3MB

Download
memory/4952-67-0x00000000076C0000-0x00000000076DE000-memory.dmp

Filesize
120KB

Download
memory/4952-68-0x00000000076E0000-0x0000000007783000-memory.dmp

Filesize
652KB

Download
memory/4952-69-0x00000000077E0000-0x00000000077EA000-memory.dmp

Filesize
40KB

Download
memory/4952-70-0x00000000077F0000-0x0000000007801000-memory.dmp

Filesize
68KB

Download
memory/4952-71-0x0000000007820000-0x000000000782E000-memory.dmp

Filesize
56KB

Download
memory/4952-72-0x0000000007830000-0x0000000007844000-memory.dmp

Filesize
80KB

Download
memory/4952-73-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/4952-74-0x0000000007880000-0x0000000007888000-memory.dmp

Filesize
32KB

Download
memory/4952-47-0x00000000074B0000-0x0000000007546000-memory.dmp

Filesize
600KB

Download
memory/4952-78-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-46-0x0000000007310000-0x000000000732A000-memory.dmp

Filesize
104KB

Download
memory/4952-77-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/4952-49-0x00000000085C0000-0x0000000008B64000-memory.dmp

Filesize
5.6MB

Download
memory/4952-45-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/4952-42-0x0000000007290000-0x0000000007306000-memory.dmp

Filesize
472KB

Download
memory/4952-36-0x00000000064D0000-0x0000000006514000-memory.dmp

Filesize
272KB

Download
memory/4952-34-0x0000000005F60000-0x0000000005F7E000-memory.dmp

Filesize
120KB

Download
memory/4952-35-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

Filesize
304KB

Download
memory/4952-10-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/4952-28-0x0000000005880000-0x0000000005BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4952-21-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/4952-22-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/4952-20-0x0000000004EF0000-0x0000000004F12000-memory.dmp

Filesize
136KB

Download
memory/4952-19-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-12-0x0000000004930000-0x0000000004966000-memory.dmp

Filesize
216KB

Download
memory/4952-14-0x0000000004FA0000-0x00000000055C8000-memory.dmp

Filesize
6.2MB

Download
memory/4952-15-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-18-0x00000000005E0000-0x000000000115F000-memory.dmp

Filesize
11.5MB

Download
memory/4976-33-0x00000000005E0000-0x000000000115F000-memory.dmp

Filesize
11.5MB

Download