MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693
SHA3-384 hash: 5d7e085bf35f55ba38c3133657e7666a9cffd76325fce6cc9216127100a3870cc0ee1ae695a1a606c8e8c198ac252fdd
SHA1 hash: 0f479f70abade90588d4db0097e8817e17e13ac6
MD5 hash: c5ae7aca5d014d500783505f3d0dba49
humanhash: vegan-south-hydrogen-alanine
File name:fv47j.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:2'097'152 bytes
First seen:2025-12-21 17:43:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcdb1bba7d17aed086e88f3726510100 (1 x RustyStealer)
ssdeep 49152:y8ObXalSVCpG663hpFr5N0v3fsXvAxO3:3NlKpFriJO3
Threatray 559 similar samples on MalwareBazaar
TLSH T180A5BF3BF60FE596D1D4E038A1928562156BBC8D2F0D71BB3194A524E978EA43F27F03
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10522/11/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 48494acc4c4a2148 (2 x RustyStealer, 1 x RedLineStealer, 1 x BitRAT)
Reporter Ling
Tags:exe Malgent RustyStealer Trojan:Win32/Malgent!MSR


Avatar
CNGaoLing
This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win32/Malgent!MSR)

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693.exe
Verdict:
No threats detected
Analysis date:
2025-12-21 17:48:48 UTC
Tags:
rust amsi-bypass
Link:
https://app.any.run/tasks/0afd0fd9-8f1d-4111-b1da-cc66d3d3207e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45660/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694831baa6c88bb4cc234363
Tags:
cobaltstrike emotet cobalt
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-21T13:42:00Z UTC
Last seen:
2025-12-23T02:44:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Cobalt.sb Trojan.Win32.Cobalt.sb PDM:Trojan.Win32.Generic Backdoor.Cobalt.HTTP.C&C Trojan.Win64.Agentb.sb Trojan.Win32.Cometer.sb Trojan.Win32.CobaltStrike.sb Trojan.Win32.CobaltStrike.mz Trojan.Win32.CobaltStrike.mmi HackTool.Cobalt.HTTP.C&C
Link:
https://opentip.kaspersky.com/1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b6e7ed61-878c-4403-b7ad-2b49dec90ef1
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/c5ae7aca5d014d500783505f3d0dba49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693/
Verdict:
Malicious
Threat:
Trojan.Win32.CobaltStrike
Link:
https://tip.neiki.dev/file/1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693
Threat name:
Win64.Backdoor.Cobeacon
Create hunting rule
Status:
Malicious
First seen:
2025-12-21 17:44:11 UTC
File Type:
PE+ (Exe)
Extracted files:
35
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=darofvrcp6nsevz6qlexgkdp3eqie7hrkwl5kwfpof4qwvwnu2jq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693
RustyStealer
194527399e0ac5bc5c145221b68e87b73e8547a349b405cbbbb6aad780a85aef
RustyStealer
1a083a173b159a338b34285682921cb2acfaac6278fb9b934794a18b496eecea
RustyStealer
1d2f14c8497b8cd9d78498827fac151d00d2359320607c5cd748df0ef50e4c73
RustyStealer
361eac6d7a1d710d57261b1c46a8c4f52690277ffd02dfd0ba53e585a5d1af5a
RustyStealer
5ec08f4c8aa8d315e576fcc4da30224ced471255514080ea3bcfe0029365f24c
RustyStealer
b4bfe5cc6f4c4f57d387244c802894727aa10398a1b478c1e7e1c0e7a4f7e667
RustyStealer
error
RustyStealer
+ 549 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251223-lneygaskgt/
Behaviour
Suspicious use of WriteProcessMemory
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/38f80c6b-cf1a-453b-8e23-7f5e60cd89b1
Unpacked files
SH256 hash:
1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693
MD5 hash:
c5ae7aca5d014d500783505f3d0dba49
SHA1 hash:
0f479f70abade90588d4db0097e8817e17e13ac6
Link:
https://www.unpac.me/results/5389c32c-f36e-453e-b2d4-e3e5c594f398/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1822e2d6227f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 1822e2d6227f9b22573e82c973286fd920827cf15597d558af71790b56cda693

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45660/

Comments