MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 666c246bd662275c5a7330b4de2e51a7f86556390c0b79b1d774378e7eac8cb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 666c246bd662275c5a7330b4de2e51a7f86556390c0b79b1d774378e7eac8cb0
SHA3-384 hash: 53e79be327c2484525969995eb14531f8cd1db38e1802592a27b490c94e632b0c634b96847afb98f7372ead46f1839be
SHA1 hash: fe36dbf3efa775193b82ce03d1b329d3feced487
MD5 hash: e211b2b230ef040fe40bc380899990fc
humanhash: mike-papa-eleven-white
File name:e211b2b230ef040fe40bc380899990fc
Download: download sample
Signature RustyStealer
Create hunting rule
File size:3'414'528 bytes
First seen:2024-08-05 12:35:39 UTC
Last seen:2024-08-05 13:20:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dd2f2ecf71382d689c11a821fa0e4cae (1 x RustyStealer)
ssdeep 49152:IpMb87gil2wlWJDddoneZxq03EjlI+pOZjlx+o1Mj+6001YP:9bZRE4+Kr60n
TLSH T1EBF53A257F8A99ADC05AC074834787726A7170CE0F35BAEF458486783F69AF51F3C298
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 CoinMiner exe RustyStealer XMRIG

Intelligence

File Origin
# of uploads :
2
# of downloads :
399
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e211b2b230ef040fe40bc380899990fc
Verdict:
Malicious activity
Analysis date:
2024-08-05 12:42:56 UTC
Tags:
loader miner themida
Link:
https://app.any.run/tasks/031f02bd-39f2-4b9f-8bb5-4a7acf5445b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b0c73a037b02d0daedbaeb
Tags:
Banker Execution Network Stealth Trojan Heur
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm microsoft_visual_cc rust
Link:
https://www.filescan.io/uploads/66b0c76184afcda9626527e3/reports/d0af5ccc-430e-4368-9631-50ca5c57605d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/666c246bd662275c5a7330b4de2e51a7f86556390c0b79b1d774378e7eac8cb0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a4ef9c3-c61d-4bff-b552-ebbc9965e52e
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1487983
Signature
AI detected suspicious sample
Antivirus detection for dropped file
DNS related to crypt mining pools
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses known network protocols on non-standard ports
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/666c246bd662275c5a7330b4de2e51a7f86556390c0b79b1d774378e7eac8cb0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/666c246bd662275c5a7330b4de2e51a7f86556390c0b79b1d774378e7eac8cb0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-08-02 20:54:22 UTC
File Type:
PE+ (Exe)
AV detection:
8 of 38 (21.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mzwci26wmitvywttgc2n4lsru74gkvrzbqfxtmoxoq3y47vmrsya._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence trojan
Link:
https://tria.ge/reports/240805-psw94awcqq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
xmrig
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1d947fc3-a4ce-4e5d-a77e-7ee3b9ceecae
Unpacked files
SH256 hash:
666c246bd662275c5a7330b4de2e51a7f86556390c0b79b1d774378e7eac8cb0
MD5 hash:
e211b2b230ef040fe40bc380899990fc
SHA1 hash:
fe36dbf3efa775193b82ce03d1b329d3feced487
Link:
https://www.unpac.me/results/14285200-ae5a-49ff-a151-f4b52453a3e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/666c246bd662275c5a7330b4de2e51a7f86556390c0b79b1d774378e7eac8cb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 666c246bd662275c5a7330b4de2e51a7f86556390c0b79b1d774378e7eac8cb0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3090460/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::CopySid
advapi32.dll::GetLengthSid
advapi32.dll::IsValidSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
SS_APIUses SS APIsecur32.dll::AcceptSecurityContext
secur32.dll::AcquireCredentialsHandleA
secur32.dll::ApplyControlToken
secur32.dll::DecryptMessage
secur32.dll::DeleteSecurityContext
secur32.dll::QueryContextAttributesW
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
kernel32.dll::OpenProcess
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
ntdll.dll::NtQueryInformationProcess
ntdll.dll::NtQuerySystemInformation
kernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WriteConsoleA
kernel32.dll::WriteConsoleW
kernel32.dll::GetConsoleScreenBufferInfo
kernel32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
ntdll.dll::NtCreateFile
kernel32.dll::CreateFileW
ntdll.dll::NtDeviceIoControlFile
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupAccountSidW
advapi32.dll::LookupPrivilegeValueA
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptGenRandom
WIN_CRYPT_APIUses Windows Crypt APIcrypt32.dll::CertAddCertificateContextToStore
crypt32.dll::CertDuplicateCertificateChain
crypt32.dll::CertDuplicateCertificateContext
crypt32.dll::CertDuplicateStore
crypt32.dll::CertEnumCertificatesInStore
crypt32.dll::CertFreeCertificateChain
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
advapi32.dll::RegSetValueExW
WIN_SOCK_APIUses Network to send and receive dataws2_32.dll::bind
ws2_32.dll::closesocket
ws2_32.dll::connect
ws2_32.dll::freeaddrinfo
ws2_32.dll::getaddrinfo
ws2_32.dll::getpeername
WIN_USER_APIPerforms GUI Actionsuser32.dll::FindWindowA

Comments


Avatar
zbet commented on 2024-08-05 12:35:40 UTC

url : hxxp://172.86.76.134:1111/svhost/