File name:	da.exe
Full analysis:	https://app.any.run/tasks/ffcfc88d-7d04-4568-9fa5-241dfe40384b
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 22:13:38
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer ms-smartcard golang upx salatstealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:	177594EA7DC41B490CC1E20FE4284687
SHA1:	CDC8375EE7CA19B973F5AB366495C7DDBFF50C43
SHA256:	8C187C384B6BF9C9E4845B893783289C6AEF45D0A09C524186F32496028FAFE2
SSDEEP:	98304:dUIT0/vp7FvoJ8OknGT42xDVjoF8HtBVbGjv9BtH/anNJ8Jni/31o7U+NUpRXSXt:TmlOwKY

.exe	\|	UPX compressed Win32 Executable (64.2)
.dll	\|	Win32 Dynamic Link Library (generic) (15.6)
.exe	\|	Win32 Executable (generic) (10.6)
.exe	\|	Generic Win/DOS Executable (4.7)
.exe	\|	DOS Executable Generic (4.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	3
CodeSize:	3276800
InitializedDataSize:	4096
UninitializedDataSize:	8761344
EntryPoint:	0xb7a5c0
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI

PID	Process	Filename		Type
7856	OfficeClickToRun.exe	C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe		executable
		MD5:177594EA7DC41B490CC1E20FE4284687	SHA256:8C187C384B6BF9C9E4845B893783289C6AEF45D0A09C524186F32496028FAFE2
7856	OfficeClickToRun.exe	C:\Program Files\Google\Chrome\Application\OfficeClickToRun.exe		executable
		MD5:177594EA7DC41B490CC1E20FE4284687	SHA256:8C187C384B6BF9C9E4845B893783289C6AEF45D0A09C524186F32496028FAFE2
7512	da.exe	C:\Users\admin\AppData\Local\TileDataLayer\winlogon.exe		executable
		MD5:177594EA7DC41B490CC1E20FE4284687	SHA256:8C187C384B6BF9C9E4845B893783289C6AEF45D0A09C524186F32496028FAFE2
7512	da.exe	C:\Program Files (x86)\Microsoft\OfficeClickToRun.exe		executable
		MD5:177594EA7DC41B490CC1E20FE4284687	SHA256:8C187C384B6BF9C9E4845B893783289C6AEF45D0A09C524186F32496028FAFE2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	95.101.54.128:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4172	RUXIMICS.exe	GET	200	95.101.54.128:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4172	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7512	da.exe	1.1.1.1:443	—	—	—	malicious
2104	svchost.exe	95.101.54.128:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4172	RUXIMICS.exe	95.101.54.128:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7512	da.exe	104.21.84.111:443	—	—	—	unknown
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	95.101.54.128 95.101.54.122	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

da.exe

177594EA7DC41B490CC1E20FE4284687

CDC8375EE7CA19B973F5AB366495C7DDBFF50C43

8C187C384B6BF9C9E4845B893783289C6AEF45D0A09C524186F32496028FAFE2

98304:dUIT0/vp7FvoJ8OknGT42xDVjoF8HtBVbGjv9BtH/anNJ8Jni/31o7U+NUpRXSXt:TmlOwKY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SALATSTEALER has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Application launched itself

Executable content was dropped or overwritten

Starts itself from another location

There is functionality for taking screenshot (YARA)

Multiple wallet extension IDs have been found

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Reads the machine GUID from the registry

Creates files or folders in the user directory

Creates files in the program directory

Create files in a temporary directory

Detects GO elliptic curve encryption (YARA)

UPX packer has been detected

Application based on Golang

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings