MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89952a6dd64305cc5e134e216f5ffe363d8e9c9fc92e2b2434c7cce60229de12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89952a6dd64305cc5e134e216f5ffe363d8e9c9fc92e2b2434c7cce60229de12
SHA3-384 hash: adaff68b21abb1e0c274482c5230879d80d1f6c50c3b557bb98dee3675a41d914b997b3fdab8b7daa3f60984dbb056bd
SHA1 hash: e04efc7beb92c8a5a259a5b654199424bd7f4fce
MD5 hash: 74f0c36a71538d521613ad08870ad309
humanhash: april-ten-hamper-emma
File name:AtlasBrowser.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:95'244'656 bytes
First seen:2025-11-02 15:13:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 01a702faea615deb8afd2e16c4beb983 (2 x RustyStealer)
ssdeep 1572864:nEy7PX7ibWr0L/k71lMoRB9ktxBpo3MhBGUhXRS4XSJB4Gn0fXt8wrJtKz:Ey+Wr0L/kZzKxBi8hEUhBS4XOl0fXtJQ
TLSH T109282347F1A612F4C12BC2B593165523EF72B458023A62BA92F886703F87B50D73FB95
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:ChatGPTAtlas exe hkdk-events


Avatar
iamaachum
https://github.com/windows-chatGPT-Atlas/windows-chatGPT-atlas/releases/download/windows-chatGPT-Atlas%2Fwindows-chatGPT-atlas/AtlasBrowser_x64.7z

Loader C2: https://hkdk.events/s7je7pxglzqbew

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AtlasBrowser.exe
Verdict:
Suspicious activity
Analysis date:
2025-11-02 15:14:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb590e49-7190-4606-9b72-34209b0862eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690775399942f1282ecb6d8d
Tags:
virus hype
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/89952a6dd64305cc5e134e216f5ffe363d8e9c9fc92e2b2434c7cce60229de12
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-01T09:11:00Z UTC
Last seen:
2025-11-03T04:39:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Agentb.lewj BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/89952a6dd64305cc5e134e216f5ffe363d8e9c9fc92e2b2434c7cce60229de12/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1806556
Signature
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Score:
33%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/89952a6dd64305cc5e134e216f5ffe363d8e9c9fc92e2b2434c7cce60229de12
Gathering data
Verdict:
Malicious
Threat:
NetworkReferences.Malware.Generic
Link:
https://tip.neiki.dev/file/89952a6dd64305cc5e134e216f5ffe363d8e9c9fc92e2b2434c7cce60229de12
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-02 01:23:52 UTC
File Type:
PE+ (Exe)
Extracted files:
14
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgksu3owimc4yxqtjyqw6x76gy6y5he7zexcwjbuy7gomarj3yja._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery execution persistence pyinstaller spyware stealer
Link:
https://tria.ge/reports/251102-smcv2saq6y/
Behaviour
Checks processor information in registry
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Enumerates VirtualBox DLL files
Looks for VirtualBox Guest Additions in registry
Looks for VirtualBox executables on disk
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8dd1b036-add3-467b-be92-8a85c966b063
Malware family:
AuraStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/89952a6dd643/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 89952a6dd64305cc5e134e216f5ffe363d8e9c9fc92e2b2434c7cce60229de12

(this sample)

RustyStealer

Executable exe 8374773c1228695085a3d526c9bbc068aad17d0661511edaf218ac56e2ab6d1f

  
Link
https://tria.ge/251102-sbmwwabx2c/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 8374773c1228695085a3d526c9bbc068aad17d0661511edaf218ac56e2ab6d1f
  
Dropping
MD5 82b286587dc923d49028fe2933f31bde
  
Dropping
SHA256 0e0d781871a69d19e9e5d04a6fb3a5dafab84039e84d8a8d7d3d3d78e7f4e299
  
Dropping
MD5 83315ffd2dd0b70ddd4ed6e46bde59fa
  
Dropping
SHA256 446c7fafb49251c34a38778e669821572ba7ed448fcac4838a95922c2bb04a90
  
Dropping
MD5 65b77a26121e757a7c5037418794ebfa
  
Dropping
SHA256 f6263210de6f511a30930066bc6560d1e47c2537dfefb517ad8541212362b67f
  
Dropping
MD5 208445fc843b9e316e356be3cd90006b
  
Dropping
SHA256 459615f3382371dac440eba7599b0edb98d6f0b83ab795f75ce1fca29d2ab66f
  
Dropping
MD5 f2ad555bbc2bf5e8a5c4f0d51c49a0b4
  
Dropping
SHA256 94d4a725dd8c84e0e7956bf8314d1126aa75df0e1e34c5641694fd0549948ddf
  
Dropping
MD5 40bb27fd88bba214819eea1b981b47ec
  
Dropping
SHA256 c50ee0a951654d8e327db3619e01def1a99bb68cb6151412718db27cb0c74a3c
  
Dropping
MD5 57bad85b357231aa14a8e13d24eb4e46

Comments