File name:	test.exe
Full analysis:	https://app.any.run/tasks/e062643f-3054-4fa1-a5c8-164a4293e1c2
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 22, 2025, 21:39:11
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx stealer golang salatstealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	5B61FAE91F37FDFD32FF77482AE052DE
SHA1:	09C1B2624F9E1D2E2D070CB224850E89E3A4FF8D
SHA256:	08BD79B8333434A9F742C9E686F1586712BC5C16B306B029B1BB35D6AC06A41E
SSDEEP:	98304:xkENC61HkTrUVJPDL9KZiXIVUKe3KUNbxkg6cf22Z8BLPSXOlX0RMn/D2dCMVMos:THlzXc+I

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:03:19 16:53:44+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.43
CodeSize:	143872
InitializedDataSize:	3344896
UninitializedDataSize:	-
EntryPoint:	0x6dec
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	16.3.49162.167
ProductVersionNumber:	16.3.49162.167
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Russian
CharacterSet:	Unicode
CompanyName:	Microsoft INC
FileDescription:	Visual Studio Graphics Corporation
FileVersion:	16.3.49162.167
InternalName:	VsGraphicsHelper.dll
LegalCopyright:	Copyright (C) 2023
OriginalFileName:	VsGraphicsHelper.dll
ProductName:	Visual Studio
ProductVersion:	16.3.49162.167


(PID) Process:	(5528) test.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5528) test.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5528) test.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
2236	exeD60F.tmp	C:\Users\admin\AppData\Local\Programs\svchost.exe		executable
		MD5:25755A9D9BC01FB0EE5E740394810882	SHA256:6880ECF0A8D3FA24D7F2854FF48D420522787E8189F65BA7B62DD88D7005537D
5528	test.exe	C:\Users\admin\AppData\Local\Temp\exeD60F.tmp		executable
		MD5:25755A9D9BC01FB0EE5E740394810882	SHA256:6880ECF0A8D3FA24D7F2854FF48D420522787E8189F65BA7B62DD88D7005537D
5528	test.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\hick[1].txt		text
		MD5:6889E9CD51F6630422ED8BABCC21AD33	SHA256:75578A36DAA38C9418141F364BE7EBA35CB81C9EAD8A22FD3C0A39B9F6982832
2236	exeD60F.tmp	C:\Users\admin\AppData\Local\Opera\winlogon.exe		executable
		MD5:25755A9D9BC01FB0EE5E740394810882	SHA256:6880ECF0A8D3FA24D7F2854FF48D420522787E8189F65BA7B62DD88D7005537D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5528	test.exe	GET	200	185.100.157.137:80	http://xabanak.ru/cl1/hick.txt	unknown	—	—	unknown
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	unknown
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	unknown
5528	test.exe	185.100.157.137:80	xabanak.ru	LLC Digital Network	TR	unknown
2236	exeD60F.tmp	1.1.1.1:443	—	—	—	unknown
2236	exeD60F.tmp	188.114.97.2:443	—	—	—	unknown
904	winlogon.exe	1.1.1.1:443	—	—	—	unknown
904	winlogon.exe	188.114.96.2:443	—	—	—	unknown
5048	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2984	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	unknown
google.com	142.250.186.142	unknown
xabanak.ru	185.100.157.137	unknown
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	unknown

PID	Process	Class	Message
2236	exeD60F.tmp	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2236	exeD60F.tmp	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2236	exeD60F.tmp	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2236	exeD60F.tmp	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
904	winlogon.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
904	winlogon.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
904	winlogon.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
904	winlogon.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
904	winlogon.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
904	winlogon.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt

General Info

test.exe

5B61FAE91F37FDFD32FF77482AE052DE

09C1B2624F9E1D2E2D070CB224850E89E3A4FF8D

08BD79B8333434A9F742C9E686F1586712BC5C16B306B029B1BB35D6AC06A41E

98304:xkENC61HkTrUVJPDL9KZiXIVUKe3KUNbxkg6cf22Z8BLPSXOlX0RMn/D2dCMVMos:THlzXc+I

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SALATSTEALER has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Starts itself from another location

There is functionality for taking screenshot (YARA)

Multiple wallet extension IDs have been found

Starts application with an unusual extension

INFO

The sample compiled with russian language support

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

UPX packer has been detected

Create files in a temporary directory

Detects GO elliptic curve encryption (YARA)

Application based on Golang

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings