Salat Stealer - Malware Analysis

Summary

This report analyzes a UPX-packed Windows executable file identified as a Salat Stealer. The malware collects the victim's keystrokes, system information, browser-stored credentials, cryptocurrency wallet data, and messaging applications data. It can also access the victim's webcam and microphone. It compresses the collected data and then exfiltrates it to the command-and-control (C2) server over the Quick UDP Internet Connections (QUIC) protocol.

Sample Details

Filename: e6eaf9092a16b0f057bf7fb3293f7aecc6cf9fd1cd5971ecb763489c6449910f.exe
MD5: 501fb64f5797264b6dc6ba099b762fe4
SHA1: f12752c1e6a6e7b1e07dc64159b23971fe8c0d71
SHA256: e6eaf9092a16b0f057bf7fb3293f7aecc6cf9fd1cd5971ecb763489c6449910f
File size: 3,280,384 bytes
Architecture: I386

Static Analysis

The malware sample is packed using UPX(0.89+), meaning all the Sections in the PE file are compressed or encrypted to hide the real program instructions and make it harder to analyze.

Figure 1 shows that Section(1) at offset 00000200 has a 7.99993 entropy score, which indicates that the PE file is undoubtedly packed.

Unpacking a UPX-packed executable is easy. Using an online service like UnpacMe is one way, but in this case, using the upx command with the flag “-d” in the FlareVM is enough. Figure 2 shows that the malware sample e6eaf9092a16b0f057bf7fb3293f7aecc6cf9fd1cd5971ecb763489c6449910f.exe was successfully unpacked.

When checking the unpacked PE file using Detect It Easy (DIE), it shows that it is written in Golang (1.22.0). Navigating to the Strings shows a bunch of Go libraries hosted on GitHub that are being used by the malware. The libraries are used to interact with the operating system, to communicate with the internet, to parse files, and to perform database operations.

Upon importing the malware sample in Ghidra, all the symbols are stripped. The malware author used a script to remove all the symbols to make it harder to reverse engineer the real functionality of the malware.

A tool named GoReSym is used to recover all the type names, package names, and standard Go package names embedded in the PE file. The GoReSym did a good job of recovering the Go symbols and also renaming all the functions in Ghidra. The malware author did not obfuscate most of the function names, which reveal the real purpose of the functions.

GitHub — mandiant/GoReSym: Go symbol recovery tool

Reverse Engineering

This figure illustrates the execution flow of the functions in the main.main, or the entry point of the malware.

main.GetHWID

This function is responsible for retrieving the Machine Hardware Identifier, which is used to uniquely identify infected devices.

main.Elevate

This function is used to elevate the privilege of the current process. It calls the main.isAdmin first to check if the current process is already running with admin rights. If not, it will try to restart the current process with elevated privileges.

main.runKeylogger

After elevating privileges, this function starts a keylogger in the background and starts collecting the victim's keystrokes.

main.DuplicateUserTokenFromSessionID

This function duplicates the Windows User Token from a current Session ID. By doing this, Salat Stealer bypasses the User Account Control (UAC) to perform actions that do require the victim’s approval.

main.checkDOH

This function performs DNS over HTTPS (DoH) connectivity checks. Salat Stealer does this to blend in with legitimate traffic.

main.rq

This function appears to be a Command and Control (C2) communication handler that is responsible for processing encrypted commands from a remote server via a Quick UDP Internet Connections (QUIC) protocol.

main.getActiveWin

This function calls main.GetWindowText function to retrieve the active window name.

main.main.func3

This function processes decrypted JSON commands from the C2 server. This also calls the main.sendScreen function sends a screenshot to the C2 server.

main.getRandomProcesses

This function just gets random active processes in the system.

main.getRandomFolders

This function just gets random folders in the system.

main.staticinstall

This function uses the information produced by main.getRandomProcesses and main.getRandomFolders. This function tries to hide the malware in the system. This function does the following behind the scenes:

• It creates a file with a random process name as a file name in a random application folder in the system.

• It then calls the main.newTask function to sets the registry SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to start the malware when the user logs into the system.

• It also sets the file attribute to hidden and system-protected.

main.Steal

This figure shows the execution flow of main.Steal, which is responsible for taking screenshots, gathering system information, saved data, and cookies from installed applications like browsers, messaging apps, and cryptocurrency wallets. It then compresses the stolen data and sends it back to the command and control (C2) server.

Salat Stealer steals information from the following applications:

Cryptocurrency Wallets / Crypto Apps

These are used to store, send, or manage cryptocurrencies and tokens.

Armory – Bitcoin cold storage wallet
Exodus – Multi-currency desktop/mobile wallet
Guarda – Multi-asset crypto wallet
Bitapp – Likely a lesser-known crypto wallet or DApp browser
Coin98 – Multi-chain wallet and DeFi gateway
Fewcha – Web3 wallet for Aptos blockchain
Finnie – Web3 wallet for the Koii Network
Iconex – ICON blockchain wallet
Kaikas – Klaytn blockchain wallet
Oxygen – DeFi prime brokerage platform on Solana
Pontem – Aptos ecosystem wallet/project
Saturn – Possibly Saturn Wallet (Web3 extension wallet)
Sollet – Solana browser extension wallet
Wombat – Web3 wallet for EOS, Telos, and WAX
XMR – Refers to Monero (commonly associated with privacy wallets)
PTX – Possibly PTX Wallet (lesser-known or custom)
inPay – Blockchain-based payment wallet
Bytecoin – Privacy-focused cryptocurrency (wallet and chain)
Ethereum – Etherium Wallet
Electrum – Lightweight Bitcoin wallet
MyMonero – Lightweight Monero wallet
Coinbase – Crypto exchange and wallet
Crocobit – Lesser-known wallet (likely crypto-related)
Metamask – Ethereum/Web3 browser wallet
Starcoin – Wallet/project on the Starcoin blockchain

Web Browsers

Most of these are standalone or Chromium-based browsers, some privacy- or region-focused.

Chrome – Google’s browser
Chedot – Chromium-based browser with media download features
Kometa – Custom Chromium browser (often bundled with shady apps)
Fenrir – Refers to Sleipnir browser by Fenrir Inc.
Coowon – Game-enhanced Chromium browser
Liebao – Chinese Chromium browser (Cheetah browser)
Dragon – Comodo Dragon Browser
CocCoc – Vietnamese Chromium browser
Yandex – Russian web browser
Waterfox – Privacy-focused Firefox fork
K-Meleon – Lightweight Windows browser
Cyberfox – Firefox-based browser
BlackHaw – Custom Chromium browser
Chromium – Open-source browser base for Chrome
Elements – Possibly a custom Chromium browser

Communication Apps

Used primarily for messaging or social interaction.

Telegram – Encrypted messaging app
QIP – Old Russian instant messaging client
Discord
Steam

Dynamic Analysis

Upon executing Salat Stealer in an isolated environment, it first checks if the infected system is connected to the internet. It sends a GET request to the following URLs. It then automatically exits if both domains do not return a 200 OK response or if the system is not connected to the internet.

• posholnahuy.ru/sa1at/

• pidorasina.ru/sa1at/

If the machine is connected to the internet, it then gathers system information by accessing registry values like HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography, which stores the Machine GUID and other keys.

This figure shows that it also modified the registry values to allow the system to smoothly communicate with the C2 server.

This figure confirms the behaviour of the main.staticinstall function in the static analyst phase. It chooses a random process name and copies the malware to a random application folder. In this case, it uses a Procmon64.exe as a filename and stores it in the C:\Users\nopatchzone\AppData\Local\dnSpy\ folder. The purpose of this is to blend the malware into the installed applications, which makes it difficult to locate.

It then creates a new process and runs the malware in the background. It starts capturing and streaming the screen and accessing the microphone. It also starts stealing saved data, cookies, and other information from the target applications mentioned above.

This figure displays that the machine is communicating to the IP address 104.21.84.111, which is pointed to sa1at.ru, over the Quick UDP Internet Connections (QUIC) protocol. This is the Salat Stealer's way to send all the compressed and encrypted stolen data back to the C2.

Automated Analysis (sandbox)

With the unpacked sample in hand, we were able to run it through Qu1cksc0pe and Anyrun

This figure shows the command used for analyzing the unpacked sample

python3 qu1cksc0pe.py --file ~/path/to/unpacked_file.exe.bin --analyze --domain  

With that command, we were able to extract additional details regarding the file, such as Functions for Registry Keys, Cryptography, Defense Evasion, Persistence, etc. It also matched with tons of Yara rules for privilege escalation, keylogging, vm detection, and many more. The entire output is in this pastebin link: https://pastebin.com/jSHKhD9f

This figure shows the overview of all the function and their categories found on the malware.

File Analysis

This figure shows that the malware matched with win_mutex yara rule. If you are not familiar with mutex, it is used by malware developers to prevent their malware from infecting the same device again

.

This figure shows that the malware matched with vmdetect and disable_dep which suggest that the malware may have anti-debugging capabilities.

MITRE

The above figure shows the malware's MITRE TTPs, DISCOVERY T1087: Account Discovery T1010: Application Window Discovery T1083: File and Directory Discovery T1057: Process Discovery T1012:Query Registry PRIVELEGE ESCALATION T1134: Access Token Manipulation PERSISTENCE T1546: Event Triggered Execution T1547: Boot or Logon Autostart Execution COLLECTION T1056:Input Capture T1113: Screen Capture T1005: Data fromLocal System CREDENTIAL ACCESS T1056: Input Capture T1040: Network Sniffing DEFENSE EVASION T1112: Modify Registry COMMAND AND CONTROL T1071: Application Layer Protocol EXFILTRATION T1567: Exfiltration Over Web Service

This figure shows the overview of the stealer's behavior on sandbox when executed. In initial execution, it adds itself on startup,. it renames itself as "WmiPrvSE.exe". It is worth noting that it generates random name everytime it is executed. It then proceeds to steal personal data and credentials from browsers such as Chrome and Edge. It also executes a legitimate process called "slui.exe" which is a legitimate software licensing. In this case, it runs with "-Embedding" flag which could indicate that the malware is embedding its operations within the context of slui.exe, potentially to bypass security mechanisms that monitor standalone executable behavior.

Indicator of Compromise (IOCs)

104[.]21[.]84[.]111
sa1at[.]ru
uffyaa[.]ru

Salat Stealer (Packed)
MD5: 501fb64f5797264b6dc6ba099b762fe4
SHA1: f12752c1e6a6e7b1e07dc64159b23971fe8c0d71
SHA256: e6eaf9092a16b0f057bf7fb3293f7aecc6cf9fd1cd5971ecb763489c6449910f

Salat Stealer (UnPacked)
md5: 330622ae214345e7417c3275d744eb08
sha1: cffe2cead41b191d41ec037ef553feb5e41e7c1e
sha256: c5584f2f1e258ddfec65eba05e0aaa1c07cfbbd38b063237d61b31b4a3e7a16c

Procmon64.exe
md5: 330622ae214345e7417c3275d744eb08
sha1: cffe2cead41b191d41ec037ef553feb5e41e7c1e
sha256: c5584f2f1e258ddfec65eba05e0aaa1c07cfbbd38b063237d61b31b4a3e7a16c