MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5428cca9ddb62b62c941386fb9eaf9508222b1acf561754483cdd8cf0fbd41e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5428cca9ddb62b62c941386fb9eaf9508222b1acf561754483cdd8cf0fbd41e7
SHA3-384 hash: 213a62fae2098a9ad4b42ce692853807333a17fc3a85d0d13c65e5d69d1213c4ef95dca3f896a3edc7981db4a1223b55
SHA1 hash: 965c9e526c633661b484e04c0ebb3368e1e526a5
MD5 hash: 6c80da0486ff66d6ae23739c44252dff
humanhash: eight-charlie-blue-fourteen
File name:6c80da0486ff66d6ae23739c44252dff
Download: download sample
Signature RustyStealer
Create hunting rule
File size:7'436'800 bytes
First seen:2022-11-19 04:07:00 UTC
Last seen:2022-11-19 05:37:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:LF90VGReWW73VnOzBrMZExuAWWTb/HirLcXthOjmH:LFmVfIBrMHAWW/RKA
Threatray 19 similar samples on MalwareBazaar
TLSH T1E0767D02F39541E9C06EC6748266A233B7B0BC4D4325F7EF9B846A712D62FD09E39356
TrID 52.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
19.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.4% (.EXE) InstallShield setup (43053/19/16)
4.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.4% (.SCR) Windows screen saver (13097/50/3)
Reporter zbetcheckin
Tags:32 exe RustyStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6c80da0486ff66d6ae23739c44252dff
Verdict:
Malicious activity
Analysis date:
2022-11-19 04:07:17 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e8fdcdb3-e597-4e4f-a08a-c54b715c8302

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335994/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop21.14111.24161.17606.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Creating a process from a recently created file
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Launching cmd.exe command interpreter
Launching a process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Replacing files
Searching for synchronization primitives
Sending an HTTP POST request
Sending a UDP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd.exe greyware packed packed spyeye
Link:
https://www.filescan.io/uploads/6378566b6fda73cab64e74f1/reports/6be9878a-c8c9-422b-a67e-3207f6de5c79/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Qinynore
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6524a49b-34d3-4ac3-9e55-4bebb4ba88d5
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
troj.adwa
Score:
32 / 100
Link:
https://www.joesandbox.com/analysis/1116974
Signature
Drops PE files to the startup folder
Drops PE files to the user root directory
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 749682 Sample: phLGVjEplB.exe Startdate: 19/11/2022 Architecture: WINDOWS Score: 32 92 Multi AV Scanner detection for submitted file 2->92 94 Machine Learning detection for sample 2->94 96 Yara detected Generic Downloader 2->96 10 phLGVjEplB.exe 8 2->10         started        14 SysInitVal.exe 2->14         started        17 OpenWith.exe 17 9 2->17         started        19 OpenWith.exe 2->19         started        process3 dnsIp4 60 C:\Users\user\AppData\...\WebDriver.dll, PE32 10->60 dropped 62 C:\Users\user\AppData\...\MySql.Data.dll, PE32 10->62 dropped 64 C:\Users\Public\geckodriver.exe, PE32+ 10->64 dropped 66 4 other malicious files 10->66 dropped 98 Drops PE files to the user root directory 10->98 100 Drops PE files to the startup folder 10->100 21 cmd.exe 1 10->21         started        23 conhost.exe 10->23         started        86 3.232.242.170, 443, 49718 AMAZON-AESUS United States 14->86 88 api.ipify.org.herokudns.com 14->88 90 api.ipify.org 14->90 25 cmd.exe 14->25         started        27 cmd.exe 14->27         started        file5 signatures6 process7 process8 29 SysInitVal.exe 15 4 21->29         started        32 chrome.exe 25->32         started        34 conhost.exe 25->34         started        36 conhost.exe 27->36         started        38 xcopy.exe 27->38         started        dnsIp9 80 65.21.248.237, 3306, 49699, 49701 CP-ASDE United States 29->80 82 api.ipify.org.herokudns.com 3.220.57.224, 443, 49700 AMAZON-AESUS United States 29->82 84 api.ipify.org 29->84 40 cmd.exe 1 29->40         started        42 cmd.exe 1 29->42         started        44 chrome.exe 32->44         started        process10 process11 46 xcopy.exe 2 40->46         started        50 conhost.exe 40->50         started        52 chrome.exe 13 1 42->52         started        55 conhost.exe 42->55         started        dnsIp12 68 C:\Users\user\AppData\...\SysInitVal.exe, PE32 46->68 dropped 102 Drops PE files to the startup folder 46->102 70 192.168.2.1 unknown unknown 52->70 72 239.255.255.250 unknown Reserved 52->72 57 chrome.exe 52->57         started        file13 signatures14 process15 dnsIp16 74 www.google.com 172.217.168.36, 443, 49710, 49726 GOOGLEUS United States 57->74 76 clients.l.google.com 172.217.168.78, 443, 49706 GOOGLEUS United States 57->76 78 3 other IPs or domains 57->78
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5428cca9ddb62b62c941386fb9eaf9508222b1acf561754483cdd8cf0fbd41e7/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2022-11-19 02:30:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
42
AV detection:
13 of 39 (33.33%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kqumzko5wyvwfskbhbx3t2xzkcbcfmnm6vqxkredzxmm6d55ihtq._file
Verdict:
malicious
Similar samples:
46ba1967983d6f567a10712f1814d4cad0af421aeb1c25a943a7ceb4d1195037
RustyStealer
4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d
RustyStealer
523c73801cb0175c81f507010d68ba97fc644a6ff84e5e6c0a79d5ec0b012b10
RustyStealer
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f
RustyStealer
88e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
RustyStealer
8cc4490da47561e18ea0202b96aa8c8cc3d62173e71ff3c025b502bbd745a542
RustyStealer
cde83c58766ae18bd516cfa78098c411fd1d0ebff083896f35fc33b10afa0e50
RustyStealer
dcdf6845df1e1aed6f335dd6f2a3ff7351984522235937e5c4a1c746c7fe4371
RustyStealer
eab9a40c5379d460e7d5f3d11c2b766ce8674c2240110e063fecb0c651e0dd67
RustyStealer
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221119-epm7xagh5s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c2f3cb1c-bcbe-4cc0-a0cc-d95220efe241
Unpacked files
SH256 hash:
a0c72edf083dda01284b5971c8a66a15ef2cfc916448a654904e83efd3b94648
MD5 hash:
afc506e79f03acfcd5e0653f2860eae9
SHA1 hash:
34ffd621f959824b54d0599a9d5bdd4fca956ffe
Link:
https://www.unpac.me/results/8b9bf00c-a586-4ce5-96c1-3b0fb989b735/
SH256 hash:
08af8858c728afb696b8a0e7c6145eb8c50f674889f0b19985e1191cda8f514c
MD5 hash:
4464e2035aa5d05dd16330f6f09e4455
SHA1 hash:
14f9d1cd75e97049828b6b80d2189ab41f8cadd6
Link:
https://www.unpac.me/results/8b9bf00c-a586-4ce5-96c1-3b0fb989b735/
SH256 hash:
0ee619b1786cf5971c0f9c6ee1859497aecba93a4953cf92fea998e8eefadf3c
MD5 hash:
9283cfa187616d4db0e41bdab6083d88
SHA1 hash:
066b9bcbaade014d100e8077124ee6152b233615
Link:
https://www.unpac.me/results/8b9bf00c-a586-4ce5-96c1-3b0fb989b735/
SH256 hash:
5428cca9ddb62b62c941386fb9eaf9508222b1acf561754483cdd8cf0fbd41e7
MD5 hash:
6c80da0486ff66d6ae23739c44252dff
SHA1 hash:
965c9e526c633661b484e04c0ebb3368e1e526a5
Link:
https://www.unpac.me/results/8b9bf00c-a586-4ce5-96c1-3b0fb989b735/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 5428cca9ddb62b62c941386fb9eaf9508222b1acf561754483cdd8cf0fbd41e7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2425694/
Cape
Cape
https://www.capesandbox.com/analysis/335994/

Comments


Avatar
zbet commented on 2022-11-19 04:07:08 UTC

url : hxxp://65.21.248.237/file/extractor.exe