MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RustyStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2
SHA3-384 hash:	12c14c2a93a59f4a58665e1bd398d92f375f9ec2bea5cc533c1a5939315ce714c40ae338963252290784646d792bc9fc
SHA1 hash:	850618fc552e4ccde5e6bdf71b05a63478ea4950
MD5 hash:	9157330816399f1a430386c82deba69c
humanhash:	maryland-missouri-virginia-summer
File name:	YomiraV65.exe
Download:	download sample
Signature	RustyStealer Create hunting rule
File size:	48'932'101 bytes
First seen:	2025-05-24 01:43:12 UTC
Last seen:	2025-05-24 01:43:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7d8ca9debb6e175a17bbfed3bb3f7cf6 (1 x RustyStealer)
ssdeep	786432:3Y4BILC885/PJstn3cs+asFuLO9Kc4+0jifX+pDP:3Y6IL9n3ct+G4B/
TLSH	T146B7F2843A224810EACC037EF7B3A8470A746CD91E23FEA457454D9EE8DF41DED6B859
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	xorist
Tags:	exe RustyStealer

Intelligence

File Origin

# of uploads :

# of downloads :

492

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

YomiraV65.exe

Verdict:

Malicious activity

Analysis date:

2025-05-24 01:46:05 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/be108587-e1fb-41f7-a1e6-7d96192ebe59

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6831287444c3881e854c9e1b

Tags:

virus spawn sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Changing a file

Launching the default Windows debugger (dwwin.exe)

Forced shutdown of a browser

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug mingw overlay overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/68312445fd02ed5e05859b97/reports/66047959-5c21-4911-8280-6785ea1e1e3b/overview

Verdict:

Malicious

Labled as:

QD:Trojan.GenericQ

Link:

https://www.hybrid-analysis.com/sample/55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1698298

Signature

Found direct / indirect Syscall (likely to bypass EDR)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2

Gathering data

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2025-04-01 11:51:20 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

20 of 36 (55.56%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kwsbr6cwe2cga7xavtlukwk6ff5lpzmg2cs5h6bsqzb3fhds36ra._file

Result

Malware family:

n/a

Score:

9/10

Tags:

credential_access defense_evasion discovery spyware stealer

Link:

https://tria.ge/reports/250524-b5hetadr5w/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Reads user/profile data of web browsers

Looks for VMWare drivers on disk

Uses browser remote debugging

Enumerates VirtualBox DLL files

Looks for VirtualBox drivers on disk

Looks for VirtualBox executables on disk

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4672f386-12b6-410a-b0f8-43990fa0be90

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HUNTING_SUSP_TLS_SECTION Create hunting rule
Author:	chaosphere
Description:	Detect PE files with .tls section that can be used for anti-debugging
Reference:	Practical Malware Analysis - Chapter 16

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_VIRTUAL_SIZE	Optimize binary virtual size	medium

Reviews

ID	Capabilities	Evidence
FFI_METHODS	Can perform system-level operations via FFI	_ZN4core3ptr47drop_in_place$LT$std::ffi::os_str::OsString$GT$17ha013056c5815001aE _ZN4core3ptr99drop_in_place$LT$core::result::Result$LT$alloc::string::String$C$std::ffi::os_str::OsString$GT$$GT$17h29b9b7ae471f5c1cE _ZN3std3ffi6os_str103_$LT$impl$u20$core::convert::AsRef$LT$std::ffi::os_str::OsStr$GT$$u20$for$u20$alloc::string::String$GT$6as_ref17ha3388bfd326b64c3E.llvm.8336723095197634894 _ZN3std3ffi6os_str85_$LT$impl$u20$core::convert::AsRef$LT$std::ffi::os_str::OsStr$GT$$u20$for$u20$str$GT$6as_ref17h37ef532ce7522cd5E _ZN75_$LT$std::ffi::os_str::OsStr$u20$as$u20$std::os::windows::ffi::OsStrExt$GT$11encode_wide17h33507995664519e0E _ZN81_$LT$std::ffi::os_str::OsString$u20$as$u20$std::os::windows::ffi::OsStringExt$GT$9from_wide17h203e3962da86bf7fE _ZN3std3ffi6os_str95_$LT$impl$u20$core::convert::TryFrom$LT$$RF$std::ffi::os_str::OsStr$GT$$u20$for$u20$$RF$str$GT$8try_from17h528e6a2dcb08aa5fE

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample