MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1501b39bd52f6b0424619866596ff75dc776513f226f7d7b63edf390d191e018. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1501b39bd52f6b0424619866596ff75dc776513f226f7d7b63edf390d191e018
SHA3-384 hash: 76f79312ca3b4e6b1621c51027c955a46ed2c45440515178ec2718322b35d20b58032223663e21460632f892eed3231b
SHA1 hash: 175da621d92c6384cfde03e4baef86596cc55c8c
MD5 hash: 259f32eec30c3e963a123c01ba6931a1
humanhash: oven-coffee-mountain-golf
File name:259f32eec30c3e963a123c01ba6931a1
Download: download sample
Signature RustyStealer
Create hunting rule
File size:7'435'264 bytes
First seen:2022-11-16 16:29:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:HAWWTb/HirLcXthOjmHDF90VGReWW73VnOzBrMZEx:HAWW/RKADFmVfIBrM
Threatray 20 similar samples on MalwareBazaar
TLSH T1AA767D02F39541E9C06EC6748266A233B7B0BC4D4325F7EF9B846A712D62FD09E39356
TrID 52.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
19.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.4% (.EXE) InstallShield setup (43053/19/16)
4.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.4% (.SCR) Windows screen saver (13097/50/3)
Reporter zbetcheckin
Tags:32 exe RustyStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
259f32eec30c3e963a123c01ba6931a1
Verdict:
Malicious activity
Analysis date:
2022-11-16 16:32:32 UTC
Tags:
installer
Link:
https://app.any.run/tasks/d292ed92-081d-432c-ba5f-74f5b6d4ec8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334933/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Launching cmd.exe command interpreter
Launching a process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Searching for synchronization primitives
Replacing files
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd.exe greyware packed packed spyeye
Link:
https://www.filescan.io/uploads/6375100d07c3f5e84a017848/reports/484ce160-a975-428b-b4be-2886701f289e/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qinynore
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/620178d5-f750-49b8-8377-1ddb3fa1c25d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1115043
Signature
Drops PE files to the startup folder
Drops PE files to the user root directory
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1501b39bd52f6b0424619866596ff75dc776513f226f7d7b63edf390d191e018/
Threat name:
ByteCode-MSIL.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 16:30:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
42
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cua3hg6vf5vqijdbtbtfs37xlxdxmuj7ejxx263d5xzzbumr4ama._file
Verdict:
suspicious
Similar samples:
46ba1967983d6f567a10712f1814d4cad0af421aeb1c25a943a7ceb4d1195037
RustyStealer
4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d
RustyStealer
523c73801cb0175c81f507010d68ba97fc644a6ff84e5e6c0a79d5ec0b012b10
RustyStealer
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f
RustyStealer
88e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
RustyStealer
8cc4490da47561e18ea0202b96aa8c8cc3d62173e71ff3c025b502bbd745a542
RustyStealer
cde83c58766ae18bd516cfa78098c411fd1d0ebff083896f35fc33b10afa0e50
RustyStealer
dcdf6845df1e1aed6f335dd6f2a3ff7351984522235937e5c4a1c746c7fe4371
RustyStealer
eab9a40c5379d460e7d5f3d11c2b766ce8674c2240110e063fecb0c651e0dd67
RustyStealer
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221116-tzt6jaca76/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6f7ef387-76cd-473c-8551-1e4652dc9a0c
Unpacked files
SH256 hash:
fbb90aff628e7d1fdeeb15539599f5abd8dd9515523cb7fb0c34aad5ba6d57a5
MD5 hash:
c7030b154158541c3fd110835719ef80
SHA1 hash:
c0ef2693d3f39e4c8e7e98d0099fa0cc1efa6a9a
Link:
https://www.unpac.me/results/953dd27d-56d5-446e-aa80-86582c1305fd/
SH256 hash:
a0c72edf083dda01284b5971c8a66a15ef2cfc916448a654904e83efd3b94648
MD5 hash:
afc506e79f03acfcd5e0653f2860eae9
SHA1 hash:
34ffd621f959824b54d0599a9d5bdd4fca956ffe
Link:
https://www.unpac.me/results/953dd27d-56d5-446e-aa80-86582c1305fd/
SH256 hash:
0ee619b1786cf5971c0f9c6ee1859497aecba93a4953cf92fea998e8eefadf3c
MD5 hash:
9283cfa187616d4db0e41bdab6083d88
SHA1 hash:
066b9bcbaade014d100e8077124ee6152b233615
Link:
https://www.unpac.me/results/953dd27d-56d5-446e-aa80-86582c1305fd/
SH256 hash:
1501b39bd52f6b0424619866596ff75dc776513f226f7d7b63edf390d191e018
MD5 hash:
259f32eec30c3e963a123c01ba6931a1
SHA1 hash:
175da621d92c6384cfde03e4baef86596cc55c8c
Link:
https://www.unpac.me/results/953dd27d-56d5-446e-aa80-86582c1305fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1501b39bd52f6b0424619866596ff75dc776513f226f7d7b63edf390d191e018

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 1501b39bd52f6b0424619866596ff75dc776513f226f7d7b63edf390d191e018

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/334933/
  
URLhaus
https://urlhaus.abuse.ch/url/2414605/

Comments


Avatar
zbet commented on 2022-11-16 16:30:01 UTC

url : hxxp://65.21.248.237/file/streamBot.exe