MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 658584607821d756ac7610e4db839ca739205818524cf376431a59da88e739dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 658584607821d756ac7610e4db839ca739205818524cf376431a59da88e739dc
SHA3-384 hash: a15e0cf6c5d700439b0e0a44849080f14ae04570dbf2f455a0930e5c0a2d2eedf0b60a10e1ffa675356a929184598c43
SHA1 hash: 800d9c3311f7daddb4e16de7da5e4d17fa8d6fa5
MD5 hash: 6575f782073ab4fd19e7df1c5e2a73be
humanhash: tennis-fourteen-seven-friend
File name:PQkVDtx.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:4'151'953 bytes
First seen:2025-03-07 15:54:30 UTC
Last seen:2025-03-07 17:07:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e1247f72a6c7bb51378b82365265e4b2 (1 x RustyStealer)
ssdeep 98304:XrhBW8OcW2QGPs1a5ug4XbAwxP9O0QWAXNNDXC:5Ds1Jg4XbtxP9dQWYNN2
TLSH T18C1633A75B0203DCF6521BB52034AA75445B6B2AD488BC2B7393DC7DD7ACCE924C6D28
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:exe RustyStealer


Avatar
iamaachum
http://176.113.115.7/files/7501756902/PQkVDtx.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
399
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
http://176.113.115.7/mine/random.exe
Verdict:
Malicious activity
Analysis date:
2025-03-07 15:18:05 UTC
Tags:
amadey botnet stealer themida rdp opendir lumma loader phishing gcleaner stealc credentialflusher auto generic vidar telegram autoit golang
Link:
https://app.any.run/tasks/3ac8d657-ef1e-4f9f-a724-c0fa941a6bf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cb184dc8d04e92a4bfcb30
Tags:
obfuscate vmdetect xtreme shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a file
Launching the process to interact with network services
Launching a process
Сreating synchronization primitives
Setting a single autorun event
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm lolbin microsoft_visual_cc overlay packed packer_detected schtasks
Link:
https://www.filescan.io/uploads/67cb16ebf8726576332e29be/reports/4730a560-c986-4c3d-b52c-207eb55b12c2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/658584607821d756ac7610e4db839ca739205818524cf376431a59da88e739dc
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a6701809-b009-4bed-bf03-cca5f76264d3
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1631960
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Contain functionality to detect virtual machines
Detected unpacking (creates a PE file in dynamic memory)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suspicious powershell command line found
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1631960 Sample: PQkVDtx.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for dropped file 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 8 other signatures 2->98 9 PQkVDtx.exe 3 2->9         started        13 YourPhone.exe 2->13         started        15 YourPhone.exe 2->15         started        17 svchost.exe 2->17         started        process3 dnsIp4 88 C:\Program Files\runtime\COM Surrogate.exe, MS-DOS 9->88 dropped 116 Suspicious powershell command line found 9->116 118 Adds a directory exclusion to Windows Defender 9->118 20 COM Surrogate.exe 1 8 9->20         started        24 powershell.exe 23 9->24         started        26 conhost.exe 9->26         started        120 Multi AV Scanner detection for dropped file 13->120 122 Detected unpacking (creates a PE file in dynamic memory) 13->122 124 Encrypted powershell cmdline option found 13->124 126 Contain functionality to detect virtual machines 13->126 28 YourPhone.exe 13->28         started        30 net.exe 13->30         started        32 YourPhone.exe 15->32         started        34 net.exe 15->34         started        90 127.0.0.1 unknown unknown 17->90 file5 signatures6 process7 file8 84 C:\Users\user\AppData\Local\...\YourPhone.exe, MS-DOS 20->84 dropped 86 C:\Users\user\...\XboxSpeechToTextOverlay.exe, PE32+ 20->86 dropped 104 Encrypted powershell cmdline option found 20->104 106 Found direct / indirect Syscall (likely to bypass EDR) 20->106 36 powershell.exe 18 20->36         started        39 powershell.exe 18 20->39         started        47 2 other processes 20->47 108 Adds a directory exclusion to Windows Defender 24->108 110 Found suspicious powershell code related to unpacking or dynamic code loading 24->110 112 Loading BitLocker PowerShell Module 24->112 41 conhost.exe 24->41         started        43 powershell.exe 28->43         started        45 net.exe 28->45         started        49 2 other processes 30->49 51 2 other processes 32->51 53 2 other processes 34->53 signatures9 process10 signatures11 100 Adds a directory exclusion to Windows Defender 36->100 55 powershell.exe 23 36->55         started        58 conhost.exe 36->58         started        60 powershell.exe 23 39->60         started        62 conhost.exe 39->62         started        64 powershell.exe 43->64         started        66 conhost.exe 43->66         started        68 2 other processes 45->68 102 Loading BitLocker PowerShell Module 47->102 70 3 other processes 47->70 72 4 other processes 51->72 process12 signatures13 114 Loading BitLocker PowerShell Module 55->114 74 conhost.exe 55->74         started        76 conhost.exe 60->76         started        78 conhost.exe 64->78         started        80 conhost.exe 72->80         started        82 conhost.exe 72->82         started        process14
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/658584607821d756ac7610e4db839ca739205818524cf376431a59da88e739dc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/658584607821d756ac7610e4db839ca739205818524cf376431a59da88e739dc/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-07 10:08:59 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mwcyiydyehlvnldwcdsnxa44u44sawaykjgpg5sddjm5vchhhhoa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/250307-tcw2lssxfw/
Behaviour
Enumerates system info in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Adds Run key to start application
Obfuscated Files or Information: Command Obfuscation
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2536609a-b334-48f8-a15d-e0b23ef92080
Unpacked files
SH256 hash:
658584607821d756ac7610e4db839ca739205818524cf376431a59da88e739dc
MD5 hash:
6575f782073ab4fd19e7df1c5e2a73be
SHA1 hash:
800d9c3311f7daddb4e16de7da5e4d17fa8d6fa5
Link:
https://www.unpac.me/results/93d4ae2a-2bc4-4bc2-88a2-6fd89ca5b784/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/658584607821d756ac7610e4db839ca739205818524cf376431a59da88e739dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_Zoom_Invite_malware_RAT_C2
Create hunting rule
Author:daniyyell
Description:Detects Zoom Invite Call Leading to Malware Hosted in Telegram C2
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Scheduled_Tasks_Create_From_Susp_Dir
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 658584607821d756ac7610e4db839ca739205818524cf376431a59da88e739dc

(this sample)

  
Link
https://tria.ge/250307-s1p3jasvdw/behavioral1
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3470664/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptGenRandom
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA

Comments