MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87830c47ee8d8db06b5e6b6a7d9d53e67deda22131f32cdab8eb500ad5e5cf77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87830c47ee8d8db06b5e6b6a7d9d53e67deda22131f32cdab8eb500ad5e5cf77
SHA3-384 hash: f30dff034480db9f1696c03a506614fcd6ae2a7d404927a62d7303652032f2aa57bb0dbfad1804492fb81a32952f0dff
SHA1 hash: d23c8d1269f075ed0c8ba35a8c94c9791c6515b5
MD5 hash: 9a7b18ca796dc1f79b5a9dd66bc9a553
humanhash: bakerloo-idaho-coffee-maine
File name:कर निरीक्षण.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:10'496'288 bytes
First seen:2025-10-25 22:30:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 83a05c8ded3965f1a6db803db8b14678 (1 x RustyStealer)
ssdeep 6144:lRD2izIebs9b/Nbm+JuRG1F9J9Tj8k/GlRPeYnv/HpD632DfJntAaSffMvYhlUck:l52hF1SG1fvFGTPZnnRkJPBF/gl1UI
Threatray 8 similar samples on MalwareBazaar
TLSH T1A6B66C12AA4549F8D05AC474C3478A63AA3634CA0B36E6EF02D591343F7EAF26F3D754
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10522/11/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:27-124-9-13 exe IND ValleyRAT winos


Avatar
iamaachum
ValleyRAT/Winos C2: 27.124.9.13:5689

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://spdda.oss-cn-hongkong.aliyuncs.com/%E0%A4%95%E0%A4%B0%20%E0%A4%A8%E0%A4%BF%E0%A4%B0%E0%A5%80%E0%A4%95%E0%A5%8D%E0%A4%B7%E0%A4%A3.rar
Verdict:
Malicious activity
Analysis date:
2025-10-14 07:02:41 UTC
Tags:
arch-exec evasion anti-evasion payload valley winos rat silverfox valleyrat rust
Link:
https://app.any.run/tasks/e702331c-2215-4d48-b00d-cc342882580c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34125/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fd4fb56c859164aa64958a
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Connection attempt
Sending an HTTP GET request
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 cmd crypt evasive expired-cert fingerprint hacktool invalid-signature lolbin microsoft_visual_cc msbuild overlay overlay packed signed
Link:
https://www.filescan.io/uploads/68fd4fa53a79800405f68745/reports/2ad5b80a-04b4-4f89-849e-9c8ec5cc3f14/overview
Verdict:
Malicious
Labled as:
Trojan.TrickOrTreat.Generic
Link:
https://www.hybrid-analysis.com/sample/87830c47ee8d8db06b5e6b6a7d9d53e67deda22131f32cdab8eb500ad5e5cf77
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-11T04:23:00Z UTC
Last seen:
2025-10-14T08:54:00Z UTC
Hits:
~100
Detections:
Trojan.Agentb.HTTP.C&C PDM:Trojan.Win32.Generic Backdoor.Win32.Xkcp.bdf Trojan.Win64.Agent.sb Trojan.Win32.Agent.sb Backdoor.Xkcp.TCP.ServerRequest Backdoor.Win32.Xkcp.a Backdoor.Agent.TCP.C&C Trojan.Win64.Kryplod.sb NetTool.cURLGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/87830c47ee8d8db06b5e6b6a7d9d53e67deda22131f32cdab8eb500ad5e5cf77/results?tab=lookup
Malware family:
RustyClaw
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8115e740-df61-48ac-b215-6171f8124648
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1801841
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Drops PE files to the startup folder
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1801841 Sample: #U0915#U0930 #U0928#U093f#U... Startdate: 26/10/2025 Architecture: WINDOWS Score: 100 33 ip.sb 2->33 37 Suricata IDS alerts for network traffic 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 8 other signatures 2->43 8 #U0915#U0930 #U0928#U093f#U0930#U0940#U0915#U094d#U0937#U0923.exe 5 7 2->8         started        12 GFIRestart64.exe 1 5 2->12         started        14 GFIRestart64.exe 2->14         started        signatures3 process4 dnsIp5 35 27.124.9.13, 49723, 49724, 49726 BCPL-SGBGPNETGlobalASNSG Singapore 8->35 25 C:\Users\user\AppData\...behaviorgraphFIRestart64.exe, PE32+ 8->25 dropped 27 C:\Users\...behaviorgraphFIRestart64.exe:Zone.Identifier, ASCII 8->27 dropped 16 curl.exe 1 8->16         started        19 curl.exe 1 12->19         started        file6 process7 dnsIp8 29 ip.sb 104.26.12.31, 49720, 49729, 80 CLOUDFLARENETUS United States 16->29 31 127.0.0.1 unknown unknown 16->31 21 conhost.exe 16->21         started        23 conhost.exe 19->23         started        process9
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87830c47ee8d8db06b5e6b6a7d9d53e67deda22131f32cdab8eb500ad5e5cf77
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/9a7b18ca796dc1f79b5a9dd66bc9a553
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87830c47ee8d8db06b5e6b6a7d9d53e67deda22131f32cdab8eb500ad5e5cf77/
Verdict:
Malicious
Threat:
Family.VALLEYRAT_S2
Link:
https://tip.neiki.dev/file/87830c47ee8d8db06b5e6b6a7d9d53e67deda22131f32cdab8eb500ad5e5cf77
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-11 14:18:43 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6bqyr7orwg3a226nnvh3hkt4z663irbghzszwvy5niavvpfz53q._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
87830c47ee8d8db06b5e6b6a7d9d53e67deda22131f32cdab8eb500ad5e5cf77
RustyStealer
9e537007069b186eb15cc7134fe60f3d87472e511404ad5143efb58233619f18
RustyStealer
dbdb425f59933650146ae3c32313677afa4ff3e27c739a2a8e528095f68a950a
RustyStealer
error
RustyStealer
fcf2dfb4bbc60cfcf233616f5b995859d233dc46c108bbce16c49dec186e6416
RustyStealer
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor
Link:
https://tria.ge/reports/251025-2fcq5sbl51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates connected drives
Drops startup file
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
27.124.9.13:5689
127.0.0.1:80
Verdict:
Malicious
Tags:
ProcessKiller
YARA:
n/a
Link:
https://app.threat.zone/submission/53fcce2d-def8-4662-a0df-a746a5497eaa
Unpacked files
SH256 hash:
87830c47ee8d8db06b5e6b6a7d9d53e67deda22131f32cdab8eb500ad5e5cf77
MD5 hash:
9a7b18ca796dc1f79b5a9dd66bc9a553
SHA1 hash:
d23c8d1269f075ed0c8ba35a8c94c9791c6515b5
Link:
https://www.unpac.me/results/12669b42-4265-41e4-b226-468a1089b36b/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87830c47ee8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87830c47ee8d8db06b5e6b6a7d9d53e67deda22131f32cdab8eb500ad5e5cf77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RustyStealer

Executable exe 87830c47ee8d8db06b5e6b6a7d9d53e67deda22131f32cdab8eb500ad5e5cf77

(this sample)

  
Link
https://tria.ge/251025-1f571sar4s
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34125/

Comments