MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 514a2757ba402d57f1e0d14a1d86f1109039f77f770d20a8c5f24294525610ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 514a2757ba402d57f1e0d14a1d86f1109039f77f770d20a8c5f24294525610ff
SHA3-384 hash: efca60c76b7d95de6d8c7611eabf38ebb4c1b356f509844f3e238354ab9c457e5afe07257b88ad24eef656536748f7d5
SHA1 hash: f8b81de1893a560612f82e94c22d8ac10ea5f4fa
MD5 hash: 058b06b727e1ce0615027ca9f6dbc7b2
humanhash: venus-virginia-stairway-artist
File name:058b06b727e1ce0615027ca9f6dbc7b2
Download: download sample
Signature RustyStealer
Create hunting rule
File size:15'514'112 bytes
First seen:2023-02-16 02:17:49 UTC
Last seen:2023-02-16 03:31:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8d75a9fb6af5e02a37a9a2968a9cc8b9 (1 x RustyStealer)
ssdeep 393216:MD0vw+i0CksPOVvGYJU/EXiqfMu4rQgUJD5o1oTFW:WO51LHdGh/EXpfMubR1e1oT4
Threatray 168 similar samples on MalwareBazaar
TLSH T146F6337F998B08E2DB87663CAC0F9BEB16FD2AB14551CC1998E41D8D122ED31C0D3E56
TrID 61.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
13.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.9% (.EXE) Win32 Executable (generic) (4505/5/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
4.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e686726179b93333 (4 x RustyStealer, 2 x LaplasClipper, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RustyStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
366
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
058b06b727e1ce0615027ca9f6dbc7b2
Verdict:
No threats detected
Analysis date:
2023-02-16 02:20:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/367dcc33-1ef3-41ca-bded-65ff2c9be002

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.9938.4699.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug greyware packed
Link:
https://www.filescan.io/uploads/63ed925e45632f5c85b4312b/reports/3d78d9fc-2acb-4e10-ae47-95d3c46868e9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/514a2757ba402d57f1e0d14a1d86f1109039f77f770d20a8c5f24294525610ff
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/81420320-6c3a-426b-8175-2e1b958e0af7
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1176442
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Sigma detected: Drops script at startup location
Tries to evade analysis by execution special instruction (VM detection)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 809251 Sample: X4KPCCmmfU.exe Startdate: 16/02/2023 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Laplas Clipper 2->44 46 Sigma detected: Drops script at startup location 2->46 48 Machine Learning detection for sample 2->48 7 X4KPCCmmfU.exe 5 2->7         started        11 tiponalelef.exe 2->11         started        process3 file4 30 C:\ProgramData\folerabikode\tiponalelef.exe, PE32 7->30 dropped 32 C:\...\tiponalelef.exe:Zone.Identifier, ASCII 7->32 dropped 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->50 52 Query firmware table information (likely to detect VMs) 7->52 54 Self deletion via cmd or bat file 7->54 56 Tries to evade analysis by execution special instruction (VM detection) 7->56 13 tiponalelef.exe 7->13         started        16 cmd.exe 1 7->16         started        58 Hides threads from debuggers 11->58 18 InstallUtil.exe 11->18         started        signatures5 process6 dnsIp7 60 Antivirus detection for dropped file 13->60 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->62 64 Query firmware table information (likely to detect VMs) 13->64 70 7 other signatures 13->70 21 InstallUtil.exe 13->21         started        24 InstallUtil.exe 13->24         started        66 Uses ping.exe to sleep 16->66 68 Uses ping.exe to check the status of other devices and networks 16->68 26 PING.EXE 1 16->26         started        28 conhost.exe 16->28         started        34 192.168.2.1 unknown unknown 18->34 36 nerf-0149-unknown.guru 18->36 signatures8 process9 dnsIp10 38 nerf-0149-unknown.guru 79.137.195.205, 49704, 49705, 80 PSKSET-ASRU Russian Federation 21->38 40 127.0.0.1 unknown unknown 26->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/514a2757ba402d57f1e0d14a1d86f1109039f77f770d20a8c5f24294525610ff/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-16 02:18:14 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
8 of 25 (32.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kffcov52iawvp4pa2ffb3bxrccidt537o4gsbkgf6jbjiuswcd7q._file
Verdict:
malicious
Similar samples:
2897232c5333d1ba26ab1b9769b1bd87894f2c8d1f6c6c3cb0fa47d8b3afc56d
RustyStealer
2a8e2ab611c7ea1a7c4e7b6fd50cef0a812ae4921a66d25106a039c90582ce29
RustyStealer
707e8d1989268db912cc9c2fc95c82aac61aaee789ef40aa0ccc52ae14282d5b
RustyStealer
70f55017e476683211c4e7caea2bb4301476decb9e2608df7f7dd10ff99adc35
RustyStealer
8b65240ab4b290785dc4433c16ab85ed62847f17a0eda89db58344d26cf76b4e
RustyStealer
b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4
RustyStealer
c6bba34f8198331c883212aeb76f4ee436df04cfc8a121c12401de1a35169f2e
RustyStealer
d994d8264d8511cb16ce67ed790a7896d0dbbe44d36eaffb43643ff34f3dc177
RustyStealer
ec50003de83269b82d86c2a2e4e44e6df77cc3aa7d3b967124b44cb47279c262
RustyStealer
+ 158 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230216-cray9afc92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
17ac10bc58c01a4b12ef90373a0d3456029942c28b82cc182ffc4534db8dac7c
MD5 hash:
938f2e98d5adfee606395bd5eb6ea65a
SHA1 hash:
d8cccc2497c91987e444204bac9da8b468c6fe76
Link:
https://www.unpac.me/results/d01f4d99-94c9-4b7d-98ec-ba6a7acaa346/
SH256 hash:
514a2757ba402d57f1e0d14a1d86f1109039f77f770d20a8c5f24294525610ff
MD5 hash:
058b06b727e1ce0615027ca9f6dbc7b2
SHA1 hash:
f8b81de1893a560612f82e94c22d8ac10ea5f4fa
Link:
https://www.unpac.me/results/d01f4d99-94c9-4b7d-98ec-ba6a7acaa346/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/514a2757ba402d57f1e0d14a1d86f1109039f77f770d20a8c5f24294525610ff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 514a2757ba402d57f1e0d14a1d86f1109039f77f770d20a8c5f24294525610ff

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2541393/

Comments


Avatar
zbet commented on 2023-02-16 02:17:54 UTC

url : hxxp://65.108.55.152/regsvr32.exe