MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46
SHA3-384 hash: 0ef026c5ec49dce9a7d673f06e3aa441a0def0c75995b635c447c1d08c992195b3b696a875c5776ce19025a03be2cfbf
SHA1 hash: 5fc2e90b7bc1aa4d00c2dc9e0064056b3956e425
MD5 hash: 4ca40d9d318d97d68fcb518e2c4fe07a
humanhash: december-oregon-black-social
File name:Cryptor.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:3'037'184 bytes
First seen:2024-06-01 04:24:49 UTC
Last seen:2024-06-01 05:18:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e8effc9201cf1e60acc68af88aec3bd3 (4 x RustyStealer)
ssdeep 49152:yG3XVai+IaMqPPgeT+B2GDsp8aTvMf1p8LEh3ZDJgD3WIPvozJO7caDV2aK:yqXVD7deT+spnU80JDJi3WgQtAVDcaK
TLSH T1DCE533CF951086DDF3E3F2B58B39B885D792A82A9B0EB0171EF5359422B68F015DF601
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter bobross_malware2
Tags:exe RustyStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46.exe
Verdict:
Malicious activity
Analysis date:
2024-06-01 04:30:57 UTC
Tags:
rustystealer stealer
Link:
https://app.any.run/tasks/d6fb0c43-852f-43c3-a127-e67ddb514b78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.35070.9180.29884.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665b191929ebcd67665cb159win7simulatehigh_evasion
Tags:
Network Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Connection attempt
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Reading critical registry keys
Changing a file
Creating a file
Sending a custom TCP request
Stealing user critical data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/75007784-4cf3-41c0-a0f3-d35fd4e5af10
Result
Threat name:
Luca Stealer, Rusty Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1450341
Signature
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Yara detected Luca Stealer
Yara detected Rusty Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-06-01 04:25:07 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6mi4ordtghfo6ccmkx7u6cottdd52kjj3hdx5jhjj2dh5h7vnda._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution spyware stealer upx
Link:
https://tria.ge/reports/240601-e1yssahh3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dac9ddd1-297d-4ffe-893e-5c1d4139e136
Unpacked files
SH256 hash:
17b420104131c59619411e4732743ec8e9c373228613ee23731c1fd239fac7dd
MD5 hash:
af412b399914b80044340ade572bf2ab
SHA1 hash:
448557087815068ea337905a61f83f02eee47c07
Link:
https://www.unpac.me/results/8d97dd58-f19c-4632-addf-decebee3a22a/
SH256 hash:
7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46
MD5 hash:
4ca40d9d318d97d68fcb518e2c4fe07a
SHA1 hash:
5fc2e90b7bc1aa4d00c2dc9e0064056b3956e425
Link:
https://www.unpac.me/results/8d97dd58-f19c-4632-addf-decebee3a22a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::FreeSid
SS_APIUses SS APIsecur32.dll::DecryptMessage
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptGenRandom
WIN_CRYPT_APIUses Windows Crypt APIcrypt32.dll::CertOpenStore
WIN_SOCK_APIUses Network to send and receive dataws2_32.dll::bind

Comments