MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c67c1181a38c5be2205833e2d88de1e8f42fe5d7458d5b3ee669c6e50f5c6c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c67c1181a38c5be2205833e2d88de1e8f42fe5d7458d5b3ee669c6e50f5c6c6
SHA3-384 hash: c7d67243e7cd4ae01a76f696bfc9f178bf8b9a750582a30a8ecc162e13ddd91b858858b9031310c860f33a8ed72bd127
SHA1 hash: 159d073153b24050214453132ad430fb8dc05710
MD5 hash: 828d1cb86b3c616e84a527f93911a629
humanhash: snake-zulu-ceiling-three
File name:steamconnectgh.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:5'613'056 bytes
First seen:2025-10-28 17:01:44 UTC
Last seen:2025-11-02 15:19:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 89fa639e427cd8c6012df4a19c312d06 (1 x RustyStealer)
ssdeep 98304:+npjNMyagKC7K+KjZvcne4SPfZ0U0Jn+fcjlT+X8Tq0dAUh8lGtN4WMeC/:MpeypnK+KjlZ50UmjwX8G0dA08mzM
TLSH T1EF463302B9A14436C55741B79D6AC7BC922AFC000B159BC796D41C76FFF93F20AB0B6A
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter GDHJDSYDH1
Tags:backdoor dropper exe RustyStealer stealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
atlas_browser.7z
Verdict:
Malicious activity
Analysis date:
2025-10-28 11:02:56 UTC
Tags:
arch-exec arch-doc anti-evasion evasion pastebin python stealer xor-url generic antivm rust ip-check pyinstaller
Link:
https://app.any.run/tasks/6b2035ba-88c8-41c2-be4c-6552d48d3f7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34528/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6900f5cc9942f1282ec9bdbb
Tags:
shellcode dropper
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Connection attempt
Sending a custom TCP request
Creating a file
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm krypt microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6900f72ef1fa8cbc03107058/reports/f2bba1ba-7138-42e3-8ccf-0fff0d03a100/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2c67c1181a38c5be2205833e2d88de1e8f42fe5d7458d5b3ee669c6e50f5c6c6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-26T23:54:00Z UTC
Last seen:
2025-10-28T11:40:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Fsysna.kcsm Trojan.Agent.HTTP.C&C PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/2c67c1181a38c5be2205833e2d88de1e8f42fe5d7458d5b3ee669c6e50f5c6c6/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f18cad9a-862d-4a96-a2f2-827b8ffc8c29
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2c67c1181a38c5be2205833e2d88de1e8f42fe5d7458d5b3ee669c6e50f5c6c6
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/828d1cb86b3c616e84a527f93911a629
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c67c1181a38c5be2205833e2d88de1e8f42fe5d7458d5b3ee669c6e50f5c6c6/
Verdict:
Malicious
Threat:
Trojan.Win32.Fsysna
Link:
https://tip.neiki.dev/file/2c67c1181a38c5be2205833e2d88de1e8f42fe5d7458d5b3ee669c6e50f5c6c6
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-28 12:14:00 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=frt4cga2hdc34iqfqm7c3cg6d2huf7s5ormnlm7om2og4uhvy3da._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251028-vj54jahw9e/
Behaviour
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8f200889-e51e-45d8-8d6b-f8b7394d51f8
Unpacked files
SH256 hash:
2c67c1181a38c5be2205833e2d88de1e8f42fe5d7458d5b3ee669c6e50f5c6c6
MD5 hash:
828d1cb86b3c616e84a527f93911a629
SHA1 hash:
159d073153b24050214453132ad430fb8dc05710
Link:
https://www.unpac.me/results/b16f1107-3d45-4ddc-8662-d7a4b3f5633e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c67c1181a38c5be2205833e2d88de1e8f42fe5d7458d5b3ee669c6e50f5c6c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 8acfc35ce2d1e0ae44a9a322eccb42f82e8ffa0152ac19695442dca800367844

RustyStealer

Executable exe 2c67c1181a38c5be2205833e2d88de1e8f42fe5d7458d5b3ee669c6e50f5c6c6

(this sample)

anyrun
any.run
https://app.any.run/tasks/6b2035ba-88c8-41c2-be4c-6552d48d3f7e
  
Dropped by
SHA256 8acfc35ce2d1e0ae44a9a322eccb42f82e8ffa0152ac19695442dca800367844
  
Delivery method
Distributed via drive-by
  
Dropped by
MD5 064b24fe26d0b13ab66aec35042ad5d7
Cape
Cape
https://www.capesandbox.com/analysis/34528/

Comments