MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1908667a279616de082f9f3a196fc1710ce5be9c85bdb2fe7100192f4d8d42f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RustyStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 20 File information Comments

SHA256 hash:	1908667a279616de082f9f3a196fc1710ce5be9c85bdb2fe7100192f4d8d42f2
SHA3-384 hash:	0ca7e41a95603cfdc1ca8da67d937bf896e5282e9e7880fcdc776bac209e7928002832aff0cadda61a9e10c3314ca3f7
SHA1 hash:	6f7df270bd72bf3119403da9e738f7df8015813a
MD5 hash:	ed73908c65575cae4ae7debf23220056
humanhash:	lactose-fillet-salami-earth
File name:	Protokol_Prioretnoy_Proverki_Obektov_KVO_19.05.2026.pdf.exe
Download:	download sample
Signature	RustyStealer Create hunting rule
File size:	3'408'384 bytes
First seen:	2026-06-08 08:13:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	713ff4dd0f30035a9e8c8c906d73a028 (1 x RustyStealer)
ssdeep	24576:um+l+pISlYd2hsT1ORfXC9DomS4g+g7Qv/d3rmsrP1YtwUKBll6NqidVLnyx:umO+9YMhoMfyBbTlrmsr1YuUk4ZVLy
TLSH	T131F55B43F28584EDC45EC079862B9632B633BC8906306A6F16A4FB253F76B511F1EF19
TrID	45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.0% (.EXE) Win64 Executable (generic) (6522/11/2) 13.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.6% (.ICL) Windows Icons Library (generic) (2059/9) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	f8dc988898a894b8 (3 x AveMariaRAT, 2 x RedLineStealer, 1 x QuasarRAT)
Reporter	smica83
Tags:	exe RUS RustyStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

Protokol_Prioretnoy_KVO.rar

Verdict:

Malicious activity

Analysis date:

2026-05-21 04:20:08 UTC

Tags:

evasion ip-check stealer telegram arch-doc

Link:

https://app.any.run/tasks/8ce0b072-ee29-48cc-bb63-5d66e0cd8684

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69502/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2679bb3e9eff6a6b68b1d2

Tags:

underscore infosteal

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a process from a recently created file

Creating a file in the %temp% directory

Launching a process

Creating a window

Deleting a recently created file

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Running batch commands

Using the Windows Management Instrumentation requests

Launching the process to interact with network services

Searching for synchronization primitives

Deleting of the original file

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/1908667a279616de082f9f3a196fc1710ce5be9c85bdb2fe7100192f4d8d42f2

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-05-20T10:20:00Z UTC

Last seen:

2026-06-08T07:43:00Z UTC

Hits:

~100

Detections:

Trojan-Downloader.Win32.Paph.pun

Link:

https://opentip.kaspersky.com/1908667a279616de082f9f3a196fc1710ce5be9c85bdb2fe7100192f4d8d42f2/results?tab=lookup

Gathering data

Result

Threat name:

n/a

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1924288

Signature

Antivirus / Scanner detection for submitted sample

Deletes itself after installation

Encrypted powershell cmdline option found

Found direct / indirect Syscall (likely to bypass EDR)

Gathers network related connection and port information

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs a network lookup / discovery via ARP

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Check external IP via Powershell

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Double Extension File Execution

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: System File Execution Location Anomaly

Sigma detected: Windows Binaries Write Suspicious Extensions

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Uses ipconfig to lookup or modify the Windows network settings

Uses netstat to query active network connections and open ports

Uses the Telegram API (likely for C&C communication)

Uses whoami command line tool to query computer and username

Behaviour

Behavior Graph:

Download SVG

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1908667a279616de082f9f3a196fc1710ce5be9c85bdb2fe7100192f4d8d42f2

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1908667a279616de082f9f3a196fc1710ce5be9c85bdb2fe7100192f4d8d42f2/

Verdict:

Malicious

Threat:

Trojan-Downloader.Win32.Paph

Link:

https://tip.neiki.dev/file/1908667a279616de082f9f3a196fc1710ce5be9c85bdb2fe7100192f4d8d42f2

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2026-05-21 00:57:29 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 36 (47.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=deegm6rhsyln4cbpt45bs36boegolpu4qw63f7traams6tmnilza._file

Result

Malware family:

n/a

Score:

8/10

Tags:

adware discovery execution spyware stealer

Link:

https://tria.ge/reports/260608-j4ml5sas2r/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Gathers network information

Gathers system information

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

System Network Connections Discovery

System Time Discovery

Drops file in Windows directory

Looks up external IP address via web service

Network Service Discovery

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Unpacked files

SH256 hash:

1908667a279616de082f9f3a196fc1710ce5be9c85bdb2fe7100192f4d8d42f2

MD5 hash:

ed73908c65575cae4ae7debf23220056

SHA1 hash:

6f7df270bd72bf3119403da9e738f7df8015813a

Link:

https://www.unpac.me/results/8161da75-2d1f-447a-a599-ce60455ccf28/

SH256 hash:

0324d1a0c01db9de583ef9a0691943f0b214b13cc05484d40588c7f86c366e51

MD5 hash:

752c8ce292e9d21ff5bb41e2eb6be638

SHA1 hash:

cb77ec5d3120509a9418da6d423e1f64a71acdc3

Link:

https://www.unpac.me/results/8161da75-2d1f-447a-a599-ce60455ccf28/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1908667a2796/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1908667a279616de082f9f3a196fc1710ce5be9c85bdb2fe7100192f4d8d42f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_All_Windows_PE_Malware Create hunting rule
Author:	DiegoAnalytics
Description:	Detects Windows PE malware of all types, avoids non-executables like .html

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	TelegramAPIMalware_PowerShell_EXE Create hunting rule
Author:	@polygonben
Description:	Hunting for pwsh malware using Telegram for C2

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	WIN_ClickFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:	ClickFix social engineering and malicious PowerShell commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69502/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample