MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24ea2a5e84f6da537a831b83630e34540e1b5806a1ac72aa8027fc6543317c28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RustyStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 17 File information Comments

SHA256 hash:	24ea2a5e84f6da537a831b83630e34540e1b5806a1ac72aa8027fc6543317c28
SHA3-384 hash:	2c29c2709b0c6890cffd8fe75c73d0f2fa2e3764b415572498e4d50d6d29bf4eaf18e06a0ce2da9872f8b204fd3b8bc9
SHA1 hash:	6bcefbafdc4346c943546400f8b0df62b787f4ad
MD5 hash:	ce3f7e4235c89e9cb09fbd74f44575b9
humanhash:	failed-juliet-north-blue
File name:	file
Download:	download sample
Signature	RustyStealer Create hunting rule
File size:	9'642'496 bytes
First seen:	2025-11-01 13:52:24 UTC
Last seen:	2025-11-02 16:19:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c7ed81876c9d12e4d4be2bd1e67e331a (2 x RustyStealer)
ssdeep	98304:+xS5jvqgAwz5cu0fwmfRBwW7UwBpwLBDSAnMd//9YWFn+P:W2z5cRwmfRBwUOLFn43OW1
TLSH	T1FCA65B03F69580E8C0ADC5B8872BA637EB76FC890524B29B5BE44F212F66F505F1C359
TrID	52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.7% (.EXE) Win64 Executable (generic) (10522/11/4) 8.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.5% (.EXE) Win32 Executable (generic) (4504/4/1) 3.4% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 RustyStealer

Bitsight

url: http://178.16.55.189/files/8072548658/YrxRYBt.exe

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

main.exe

Verdict:

Malicious activity

Analysis date:

2025-10-31 18:46:39 UTC

Tags:

auto xworm rat python possible-phishing amadey botnet stealer clickfix stealc github metasploit backdoor meterpreter payload xenorat dcrat clipper diamotrix tinynuke remcos coinminer miner asyncrat xtinyloader loader formbook rhadamanthys generic agenttesla svc katzstealer httpdebugger tool anti-evasion nanocore donutloader redline darktortilla crypter masslogger salatstealer purelogs blankgrabber gcleaner pyinstaller lumma snake keylogger purecrypter vipkeylogger phishing njrat aurotun venom ghostsocks proxyware hijackloader auto-sch-xml netsupport rmm-tool cobaltstrike

Link:

https://app.any.run/tasks/cd481450-8bad-494d-9731-ddbc371236ae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/34957/

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690610e49942f1282ecb2523

Tags:

dropper virus remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Creating a file

Moving a recently created file

Replacing files

Connection attempt

Connecting to a non-recommended domain

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/24ea2a5e84f6da537a831b83630e34540e1b5806a1ac72aa8027fc6543317c28

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-10-31T14:52:00Z UTC

Last seen:

2025-11-03T10:28:00Z UTC

Hits:

~100

Detections:

VHO:Trojan.Win32.AutoRun.gen VHO:Trojan.Win64.Agent.smeuvc Trojan.Win64.Agent.sb PDM:Trojan.Win32.Generic Trojan.Win64.Agent.smeuvc NetTool.TorToolE.TCP.C&C NetTool.TorTool.TCP.C&C

Link:

https://opentip.kaspersky.com/24ea2a5e84f6da537a831b83630e34540e1b5806a1ac72aa8027fc6543317c28/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ca48c077-ab59-4e40-b0ec-cc9c0acd86a9

Score:

86%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/24ea2a5e84f6da537a831b83630e34540e1b5806a1ac72aa8027fc6543317c28

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/ce3f7e4235c89e9cb09fbd74f44575b9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24ea2a5e84f6da537a831b83630e34540e1b5806a1ac72aa8027fc6543317c28/

Verdict:

Malicious

Threat:

VHO:Trojan.Win32.AutoRun

Link:

https://tip.neiki.dev/file/24ea2a5e84f6da537a831b83630e34540e1b5806a1ac72aa8027fc6543317c28

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=etvcuxue63nfg6uddobwgdrukqhbwwagugwhfkuae76gkqzrpqua._file

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/251101-q6txkadl81/

Behaviour

Suspicious behavior: EnumeratesProcesses

Adds Run key to start application

Looks up external IP address via web service

Unpacked files

SH256 hash:

24ea2a5e84f6da537a831b83630e34540e1b5806a1ac72aa8027fc6543317c28

MD5 hash:

ce3f7e4235c89e9cb09fbd74f44575b9

SHA1 hash:

6bcefbafdc4346c943546400f8b0df62b787f4ad

Link:

https://www.unpac.me/results/c45bee27-e78b-47e6-ac7c-3b6a9aa99fda/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/24ea2a5e84f6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/24ea2a5e84f6da537a831b83630e34540e1b5806a1ac72aa8027fc6543317c28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/