MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92
SHA3-384 hash: 308775f1b595e72d1cc7c779fce0382153548acd0782b5d123e6b0f86ee33d6f8b31f4f0319a28e1a98308f8e3272a14
SHA1 hash: ab8d0c6b7871b01aadac9d8e775b2a305bc38a6b
MD5 hash: 3abe68c3c880232b833c674d9b1034ce
humanhash: football-nevada-mountain-zulu
File name:SecuriteInfo.com.DeepScan.Generic.ShellCode.Donut.Marte.4.4BF2137B.9225.27785
Download: download sample
Signature RustyStealer
Create hunting rule
File size:5'886'695 bytes
First seen:2024-03-22 15:34:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72b23e5befd7e280d20f6e764fc79ca9 (1 x RustyStealer)
ssdeep 49152:ZBCullUWc8G8kH20J22Bjpd4a6KUaOe1qE2j9x4nzgqr5zwf+dUIyRutm+tIJSKq:gH2aQa6eOt4ZDeDPkv1P
Threatray 1 similar samples on MalwareBazaar
TLSH T147568C129CE42BF0E8D75A39446E622437326F6DD705CBA3083AD3B59D53296FF07A48
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe RustyStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
044de70555979fb8066ee4de7117448cd166890496d342d07f241f30a1d8227f.exe
Verdict:
Malicious activity
Analysis date:
2024-03-21 19:36:30 UTC
Tags:
amadey botnet stealer lumma loader opendir redline stealc rhadamanthys evasion pureloader purecrypter trojan glupteba
Link:
https://app.any.run/tasks/de4178df-5b72-483c-a7db-b474da392080

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file
Launching a process
Creating a process from a recently created file
Moving a file to the Program Files subdirectory
Replacing files
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay
Link:
https://www.filescan.io/uploads/65fda5283f97ea2d1e3e5810/reports/8e8bbea9-0dc2-47ad-9f89-5d655fd880ff/overview
Verdict:
Malicious
Labled as:
DeepScan:Generic.ShellCode.Donut.Marte.4
Link:
https://www.hybrid-analysis.com/sample/07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/777d1952-573e-4a3d-b256-a78d965e4aaa
Result
Threat name:
PureLog Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1414133
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Very long command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1414133 Sample: SecuriteInfo.com.DeepScan.G... Startdate: 22/03/2024 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 17 other signatures 2->62 7 powershell.exe 2->7         started        10 iqsuedjuw.exe 1 2 2->10         started        13 zhvpinngi.exe 1 2->13         started        15 3 other processes 2->15 process3 dnsIp4 76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->76 78 Writes to foreign memory regions 7->78 80 Modifies the context of a thread in another process (thread injection) 7->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 7->82 18 dllhost.exe 7->18         started        21 conhost.exe 7->21         started        44 C:\Users\user\AppData\...\$776d3ffcb596bd, PE32 10->44 dropped 84 Antivirus detection for dropped file 10->84 86 Machine Learning detection for dropped file 10->86 88 Contains functionality to inject code into remote processes 10->88 23 $776d3ffcb596bd 10->23         started        25 iqsuedjuw.exe 10->25         started        27 $776d3ffcb596bd 10->27         started        31 3 other processes 10->31 90 Injects a PE file into a foreign processes 13->90 29 zhvpinngi.exe 13->29         started        52 185.196.9.162, 49710, 49711, 49712 SIMPLECARRIERCH Switzerland 15->52 46 C:\Users\user\AppData\Local\...\zhvpinngi.exe, PE32 15->46 dropped 48 C:\Users\user\AppData\Local\...\iqsuedjuw.exe, PE32 15->48 dropped 50 C:\Users\user\AppData\Local\...\TypeId.exe, PE32+ 15->50 dropped 92 Multi AV Scanner detection for dropped file 15->92 94 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->94 96 Found direct / indirect Syscall (likely to bypass EDR) 15->96 file5 signatures6 process7 signatures8 64 Injects code into the Windows Explorer (explorer.exe) 18->64 66 Writes to foreign memory regions 18->66 68 Creates a thread in another existing process (thread injection) 18->68 70 Injects a PE file into a foreign processes 18->70 33 svchost.exe 18->33 injected 36 winlogon.exe 18->36 injected 38 lsass.exe 18->38 injected 42 16 other processes 18->42 72 Antivirus detection for dropped file 23->72 74 Machine Learning detection for dropped file 23->74 40 WerFault.exe 29->40         started        process9 signatures10 54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 33->54
Score:
73%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92/
Threat name:
Win64.Exploit.DonutMarte
Create hunting rule
Status:
Malicious
First seen:
2024-03-21 19:10:34 UTC
File Type:
PE+ (Exe)
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a5rsc4cqm2e4c3iiyd76hofmg74vti26ljfmqepdqmmkza5vr6ja._file
Verdict:
malicious
Similar samples:
dbbe21f14ca93d658be3606974e289edf4b205b22d967324c49cba1950f29b9e
RustyStealer
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240322-s1bvxafe2z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detect ZGRat V1
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Unpacked files
SH256 hash:
07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92
MD5 hash:
3abe68c3c880232b833c674d9b1034ce
SHA1 hash:
ab8d0c6b7871b01aadac9d8e775b2a305bc38a6b
Link:
https://www.unpac.me/results/3f96081a-fb61-4f33-93b8-229dd6ee0988/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/076321705066/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2789992/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2789994/
Reviews
IDCapabilitiesEvidence
FFI_METHODSCan perform system-level operations via FFI_ZN4core3ptr120drop_in_place$LT$$LP$std::sys::windows::process::EnvKey$C$core::option::Option$LT$std::ffi::os_str::OsString$GT$$RP$$GT$17h53bdc69494f6dbecE
_ZN4core3ptr132drop_in_place$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$17h7f29c7e19c33fa72E
_ZN4core3ptr132drop_in_place$LT$alloc::collections::btree::map::IntoIter$LT$std::sys::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$17hdcb78f07c07cb66fE
_ZN4core3ptr160drop_in_place$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::windows::process::EnvKey$C$core::option::Option$LT$std::ffi::os_str::OsString$GT$$GT$$GT$17ha6479399c2cea41fE
_ZN4core3ptr160drop_in_place$LT$core::option::Option$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$$GT$17h916bc581539b825fE
_ZN4core3ptr47drop_in_place$LT$std::ffi::os_str::OsString$GT$17h87030caa39d0b3ddE
_ZN4core3ptr84drop_in_place$LT$$LP$std::ffi::os_str::OsString$C$std::ffi::os_str::OsString$RP$$GT$17hcdd7f970acdd9b97E
_ZN4core3ptr92drop_in_place$LT$$LP$std::sys::windows::process::EnvKey$C$std::ffi::os_str::OsString$RP$$GT$17h49b997c65512979eE
_ZN81_$LT$std::ffi::os_str::OsString$u20$as$u20$std::os::windows::ffi::OsStringExt$GT$9from_wide17h6f5d44c9f5a0aff1E
_ZN63_$LT$std::ffi::os_str::OsString$u20$as$u20$core::fmt::Write$GT$9write_str17h026d92fa4ab3b25cE
_ZN3std3ffi6os_str95_$LT$impl$u20$core::convert::TryFrom$LT$$RF$std::ffi::os_str::OsStr$GT$$u20$for$u20$$RF$str$GT$8try_from17h949509e4ee1450fcE
_ZN108_$LT$std::sys::windows::process::EnvKey$u20$as$u20$core::convert::From$LT$std::ffi::os_str::OsString$GT$$GT$4from17hb9c25e0a8aef86b9E
_ZN3std3sys7windows7process118_$LT$impl$u20$core::convert::From$LT$std::sys::windows::process::EnvKey$GT$$u20$for$u20$std::ffi::os_str::OsString$GT$4from17h59bd86de8213bd56E
_ZN109_$LT$std::sys::windows::process::EnvKey$u20$as$u20$core::convert::From$LT$$RF$std::ffi::os_str::OsStr$GT$$GT$4from17h4ff87c5212584e35E
_ZN60_$LT$std::ffi::os_str::OsStr$u20$as$u20$core::fmt::Debug$GT$3fmt17h7ba6cf1aad478614E
_ZN63_$LT$std::ffi::os_str::OsString$u20$as$u20$core::fmt::Debug$GT$3fmt17h3df52caedf111527E
FILE_IO_READCan Read Files_ZN54_$LT$std::fs::Metadata$u20$as$u20$core::fmt::Debug$GT$3fmt17h49c04d94616206adE
_ZN75_$LT$std::fs::ReadDir$u20$as$u20$core::iter::traits::iterator::Iterator$GT$4next17h22a76f3a70d0ea75E
FILE_IO_WRITECan Create and Remove Files_ZN79_$LT$alloc::vec::Vec$LT$u8$GT$$u20$as$u20$std::io::copy::BufferedWriterSpec$GT$11buffer_size17h13369072353e2238E
_ZN54_$LT$std::fs::DirEntry$u20$as$u20$core::fmt::Debug$GT$3fmt17hb8d31e6b8009750eE
_ZN54_$LT$std::fs::FileType$u20$as$u20$core::fmt::Debug$GT$3fmt17hfe4273ca3091d717E
_ZN57_$LT$std::fs::Permissions$u20$as$u20$core::fmt::Debug$GT$3fmt17h7cb76b90bab36da1E
NET_METHODSUses Network to send and receive data_ZN91_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::iter::traits::iterator::Iterator$GT$4next17hf87cdaec67b92001E
_ZN104_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::convert::TryFrom$LT$$LP$$RF$str$C$u16$RP$$GT$$GT$8try_from17h01170f8df9e4d7daE
_ZN68_$LT$std::sys_common::net::TcpStream$u20$as$u20$core::fmt::Debug$GT$3fmt17he4fba212bdffe3c4E
_ZN70_$LT$std::sys_common::net::TcpListener$u20$as$u20$core::fmt::Debug$GT$3fmt17h075cb57cd8fd41ebE
_ZN68_$LT$std::sys_common::net::UdpSocket$u20$as$u20$core::fmt::Debug$GT$3fmt17h62ce4e47365a82b8E
_ZN74_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::ops::drop::Drop$GT$4drop17h5982c08af40b5ef9E
_ZN90_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::convert::TryFrom$LT$$RF$str$GT$$GT$8try_from17h5c51be5849d09258E
_ZN3std10sys_common3net154_$LT$impl$u20$std::sys_common::IntoInner$LT$$LP$std::sys_common::net::SocketAddrCRepr$C$i32$RP$$GT$$u20$for$u20$$RF$core::net::socket_addr::SocketAddr$GT$10into_inner17h4c1775b1ba905bd2E

Comments