salatstealer | 003ace97463c139fb1d6c53909c5dac9ffd958a698330a817bc268e6131182c5

General

Target

Fatality.exe
Size

3.2MB
MD5

314375a212ba4f9038c454820d9c5cad
SHA1

2ce6451c052f88a9c0bddad5f23bc3253cb972bd
SHA256

003ace97463c139fb1d6c53909c5dac9ffd958a698330a817bc268e6131182c5
SHA512

31dcee114b402cded2bcc1f0589963b835e97dd9b2d173aad2ddf1afd72874e335f75bd2d08d2c14ef90334f4d7d01fe0830503479292e7b1d6938c2781eeaf8
SSDEEP

98304:dSSniwJ8BPhwpzMda5oyqo7UrstRTJjyPv+I:8+WwpzMw5zqo7UrsDt2PH

Score

10^/10

Malware Config

Signatures

Detect SalatStealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/348-62-0x0000000000CE0000-0x0000000001804000-memory.dmp	family_salatstealer

Salatstealer family
salatstealer
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
stealer salatstealer

Executes dropped EXE 3 IoCs

pid	Process
348	fatality.exe
1300	icsys.icn.exe
2740	explorer.exe

Loads dropped DLL 4 IoCs

pid	Process
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
1300	icsys.icn.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000017570-6.dat	upx
behavioral1/memory/348-14-0x0000000000CE0000-0x0000000001804000-memory.dmp	upx
behavioral1/memory/348-62-0x0000000000CE0000-0x0000000001804000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Fatality.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
2520	Fatality.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
1300	icsys.icn.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2520	Fatality.exe
2520	Fatality.exe
1300	icsys.icn.exe
1300	icsys.icn.exe
2740	explorer.exe
2740	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 348	2520	Fatality.exe	30
PID 2520 wrote to memory of 348	2520	Fatality.exe	30
PID 2520 wrote to memory of 348	2520	Fatality.exe	30
PID 2520 wrote to memory of 348	2520	Fatality.exe	30
PID 2520 wrote to memory of 1300	2520	Fatality.exe	31
PID 2520 wrote to memory of 1300	2520	Fatality.exe	31
PID 2520 wrote to memory of 1300	2520	Fatality.exe	31
PID 2520 wrote to memory of 1300	2520	Fatality.exe	31
PID 1300 wrote to memory of 2740	1300	icsys.icn.exe	32
PID 1300 wrote to memory of 2740	1300	icsys.icn.exe	32
PID 1300 wrote to memory of 2740	1300	icsys.icn.exe	32
PID 1300 wrote to memory of 2740	1300	icsys.icn.exe	32

C:\Users\Admin\AppData\Local\Temp\Fatality.exe
"C:\Users\Admin\AppData\Local\Temp\Fatality.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- \??\c:\users\admin\appdata\local\temp\fatality.exe
  c:\users\admin\appdata\local\temp\fatality.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:348
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1300
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2740
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      PID:2720
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        
        PID:2864
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:2640
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
a96c445b7a4caee3b368792dcd8ddef7

SHA1
963a7ba0add830c18106db9954608b0d828f70ab

SHA256
c5bd42339614c8e64753dc80b7bee6aee252213357d3533720a7940102adf72e

SHA512
265441d1385a31d50aec8bc936cfec580d8307751e14d8548e2f8094c5331acd4a70f25d68e45ba703f0563bfaf9e3c66b5aefaad93d8cb367eb628faaed75d5

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
17e0d90ebfbebf56ac506ee1a002847c

SHA1
402113658d691f85cb6dbe25ac84758b4270ae5d

SHA256
84af98e0d210367def7265aa7f8393e4a52253522c00919c795bd8aed2180485

SHA512
0657b0d7e77cf915f6cc4bf1505f65461e38a1186f9c04fe727f6fcb510645d94bf17e38a51c079d034d42402980b076d1a19c3aea31fca466bb96d6f9aa6f3a

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
6b203106430e6d4b9f84fef9fa3cf98f

SHA1
cd966f584980a937acc40013ab28d848fb26f20a

SHA256
db1145459915176e1a4f039ea36a864313c6731a9c381aa898c539c1d6c5353a

SHA512
0e9e23516071589a9b4e8cd24e5a33c04cd38fd98ff1d5023c4e01de8085cf2967fd333c3cdd4ef9c4703868c5fbf7f0faf0bf0e162d8f4b79394156de7b3d70

Download Submit
\Users\Admin\AppData\Local\Temp\fatality.exe

Filesize
3.0MB

MD5
c3d006e36238ccde7635fc1dff753e18

SHA1
d75c29be127aafa4391ffaf17007dfe0e04841b2

SHA256
36addab1b80302055acc352fd2da83de76f98432d02749ccf15d80961d9b4f27

SHA512
feed68622448f75c8bafbd411e0445751d3255db57708dcf9e64ca692c66bf9ad5ba3a9b9412813af990150047d25bc4382cf646822aef8b65553607ce690a86

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
bc6f9dce9b0404f94c54afc0970fd1b9

SHA1
9aa19e57633910bd83e7544fcd99ace5e7c4d84f

SHA256
f19a141e64608fbf6ef4e97d67fdd4812f6512aeffb96a68f28af3cc354859df

SHA512
5293b9a535ab9f4e817046b3b75314f7541156b68b230223219120fd2dcbd2050c5e3bd6845e785d0e76e26b8be1869a91242aadeb68ad9a030e98293d0909ed

Download Submit
memory/348-14-0x0000000000CE0000-0x0000000001804000-memory.dmp

Filesize
11.1MB

Download
memory/348-62-0x0000000000CE0000-0x0000000001804000-memory.dmp

Filesize
11.1MB

Download
memory/1300-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1300-31-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/2520-15-0x0000000002CA0000-0x00000000037C4000-memory.dmp

Filesize
11.1MB

Download
memory/2520-20-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/2520-61-0x0000000002CA0000-0x00000000037C4000-memory.dmp

Filesize
11.1MB

Download
memory/2520-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2520-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2520-12-0x0000000002CA0000-0x00000000037C4000-memory.dmp

Filesize
11.1MB

Download
memory/2640-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-63-0x0000000001CB0000-0x0000000001CCF000-memory.dmp

Filesize
124KB

Download
memory/2720-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2864-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing