File name:	webrat.exe
Full analysis:	https://app.any.run/tasks/ad5dd2ac-5c55-4f54-87b0-e326fcee2cac
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 19, 2026, 21:03:29
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	salatstealer stealer ms-smartcard upx golang susp-powershell
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:	CD1358890DDEBCD301C6B41B3A6DDD85
SHA1:	52DB4D738AADFC983ACC886CAE60D1ACD8270020
SHA256:	09FEA3AE9E67511DDC99788C63AA9B4660C3681E694808B7A7F41525CE023394
SSDEEP:	98304:PmicBZyQxSlAgq7A0j/06xEMtR8GdyL0nSgax/2IX/fcaMIqa/cBQt/i6ri8QxK4:+nTbE8

.exe	\|	UPX compressed Win32 Executable (64.2)
.dll	\|	Win32 Dynamic Link Library (generic) (15.6)
.exe	\|	Win32 Executable (generic) (10.6)
.exe	\|	Generic Win/DOS Executable (4.7)
.exe	\|	DOS Executable Generic (4.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	3
CodeSize:	3588096
InitializedDataSize:	4096
UninitializedDataSize:	9334784
EntryPoint:	0xc52830
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI


(PID) Process:	(2576) webrat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2576) webrat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2576) webrat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2576) webrat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1824) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing

PID	Process	Filename		Type
6884	webrat.exe	C:\Users\admin\AppData\Local\Adobe\a720646c-990a-f7f9-d2d7-04663a7f6c99		—
		MD5:—	SHA256:—
6884	webrat.exe	C:\Program Files (x86)\Windows Sidebar\a720646c-990a-f7f9-d2d7-04663a7f6c99		—
		MD5:—	SHA256:—
7536	smss.exe	C:\Users\admin\AppData\Local\Temp\a720646c-990a-f7f9-d2d7-04663a7f6c99		—
		MD5:—	SHA256:—
2160	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_felky1jj.hjw.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2160	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive		binary
		MD5:C0D89A429AC58C7FA4A132CB11966E18	SHA256:EB14C9CDCA3428C45EA9154408249F3C7D85B71E5FF31509FE166B7835CEEF82
2160	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0qjutyw3.zre.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6884	webrat.exe	C:\Users\admin\AppData\Local\Adobe\spoolsv.exe		executable
		MD5:CD1358890DDEBCD301C6B41B3A6DDD85	SHA256:09FEA3AE9E67511DDC99788C63AA9B4660C3681E694808B7A7F41525CE023394
2160	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uuuorfrq.oed.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2160	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e1xo5ga3.vu2.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6884	webrat.exe	C:\Program Files (x86)\Windows Sidebar\smss.exe		executable
		MD5:CD1358890DDEBCD301C6B41B3A6DDD85	SHA256:09FEA3AE9E67511DDC99788C63AA9B4660C3681E694808B7A7F41525CE023394

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	4.231.128.59:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	unknown	—	—	whitelisted
3352	svchost.exe	GET	200	23.48.23.141:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3352	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3352	svchost.exe	GET	200	4.231.128.59:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4	unknown	text	3.41 Kb	whitelisted
1824	slui.exe	POST	500	128.24.231.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	text	512 b	whitelisted
1824	slui.exe	POST	500	128.24.231.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	text	512 b	whitelisted
3280	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	unknown	—	—	whitelisted
3280	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl	unknown	—	—	whitelisted
3280	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
activation-v2.sls.microsoft.com	128.24.231.65	whitelisted
www.bing.com	2.16.241.205 2.16.241.207 2.16.241.218	whitelisted
google.com	142.251.141.110	whitelisted
crl.microsoft.com	23.48.23.141 23.48.23.147 23.48.23.194 23.48.23.143 23.48.23.139 23.48.23.150 23.48.23.138 23.48.23.140 23.48.23.145 95.101.54.128 95.101.54.122	whitelisted
www.microsoft.com	88.221.169.152 23.59.18.102	whitelisted
dns.google	8.8.8.8 8.8.4.4	whitelisted
self.events.data.microsoft.com	20.42.65.84	whitelisted

PID	Process	Class	Message
2232	svchost.exe	Misc activity	INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
3352	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

General Info

webrat.exe

CD1358890DDEBCD301C6B41B3A6DDD85

52DB4D738AADFC983ACC886CAE60D1ACD8270020

09FEA3AE9E67511DDC99788C63AA9B4660C3681E694808B7A7F41525CE023394

98304:PmicBZyQxSlAgq7A0j/06xEMtR8GdyL0nSgax/2IX/fcaMIqa/cBQt/i6ri8QxK4:+nTbE8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SALATSTEALER mutex has been found

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SALATSTEALER has been detected (YARA)

SUSPICIOUS

Reads the date of Windows installation

Starts itself from another location

Application launched itself

Executable content was dropped or overwritten

Starts POWERSHELL.EXE for commands execution

Possible stealing from crypto wallets

Gets path to any of the special folders (POWERSHELL)

Possible stealing of messenger data

Multiple wallet extension IDs have been found

INFO

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Creates files in the program directory

Drops encrypted JS script (Microsoft Script Encoder)

Create files in a temporary directory

Checks current location (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

There is functionality for taking screenshot (YARA)

Detects GO elliptic curve encryption (YARA)

Application based on Golang

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

UPX packer has been detected

Found Base64 encoded access to environment variables via PowerShell (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings