MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a10eec1f7fd5b66ad2095eaa8481e9bfd6669033af3233c4bfeaf5a1de9ff3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a10eec1f7fd5b66ad2095eaa8481e9bfd6669033af3233c4bfeaf5a1de9ff3a
SHA3-384 hash: c2c50f052e361d755207234803f31d445d0b2d4bce059089e4c5d24a10ef0511d43bad7489f575f913e6330912205bf0
SHA1 hash: 1cc1cd3c2af9574375070045775ca47a458169dd
MD5 hash: 969919f2af5a252f60c1869e0d25553a
humanhash: mango-nebraska-coffee-kilo
File name:installerone29.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:6'269'952 bytes
First seen:2025-05-03 18:03:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 758ecf42d0afde1d8e2f630b5a048330 (1 x RustyStealer)
ssdeep 49152:lVjOIR5XiqCKmXBA0W82DBH/JxzikWYhBwj1PP3Sqm1K6gnscg2aWzKai+FU7cN0:igX68ShIaCza23hZvJSiNUgJj
Threatray 4 similar samples on MalwareBazaar
TLSH T13756E81AA76D60D9D0BFC078D2839F62BD217499073977F7898182692F20EF86D3D364
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter MAM
Tags:exe RustyStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
472
Origin country :
ID ID
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
installerone29.exe
Verdict:
Malicious activity
Analysis date:
2025-05-03 18:09:58 UTC
Tags:
possible-phishing xworm remote rust
Link:
https://app.any.run/tasks/62c0d145-7bd3-4494-b049-3685bf33eb93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.854.6195.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68165be58474cc94a4e36f63
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Сreating synchronization primitives
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug microsoft_visual_cc rust
Link:
https://www.filescan.io/uploads/68165aa7c7418694c8a4dd16/reports/c2edc8df-e8ee-4053-8c2f-47f9eee4f608/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/8a10eec1f7fd5b66ad2095eaa8481e9bfd6669033af3233c4bfeaf5a1de9ff3a
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d396fb9-f26c-4d26-b258-3e4b223ee3f0
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1680633
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1680633 Sample: installerone29.exe Startdate: 03/05/2025 Architecture: WINDOWS Score: 100 38 fanciful-gelato-78b95c.netlify.app 2->38 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 8 other signatures 2->54 8 installerone29.exe 3 2->8         started        12 installerone29.exe 2 2->12         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 36 C:\Users\user\...\installerone29.exe.log, CSV 8->36 dropped 56 Suspicious powershell command line found 8->56 58 Bypasses PowerShell execution policy 8->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 17 powershell.exe 37 8->17         started        20 schtasks.exe 1 8->20         started        22 schtasks.exe 1 8->22         started        40 154.197.33.29, 7000 HKBN-AS-APHKBroadbandNetworkLtdHK Seychelles 12->40 42 fanciful-gelato-78b95c.netlify.app 13.52.115.166, 443, 49688, 49689 AMAZON-02US United States 12->42 24 schtasks.exe 1 12->24         started        26 WerFault.exe 19 16 12->26         started        44 127.0.0.1 unknown unknown 15->44 file6 signatures7 process8 signatures9 46 Loading BitLocker PowerShell Module 17->46 28 conhost.exe 17->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        process10
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8a10eec1f7fd5b66ad2095eaa8481e9bfd6669033af3233c4bfeaf5a1de9ff3a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a10eec1f7fd5b66ad2095eaa8481e9bfd6669033af3233c4bfeaf5a1de9ff3a/
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-06 23:08:14 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 36 (55.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=riio5qpx7vnwnljasxvkqsa6tp6wm2idhlzsgpcl72xvuhpj745a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
8a10eec1f7fd5b66ad2095eaa8481e9bfd6669033af3233c4bfeaf5a1de9ff3a
RustyStealer
a63060468bd709eff8ab35c0cf0abab5b1e4818e189f00dd1338b52307715ec8
RustyStealer
error
RustyStealer
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm execution loader rat trojan
Link:
https://tria.ge/reports/250503-wnrx5sxya1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Detects DonutLoader
DonutLoader
Donutloader family
Xworm
Xworm family
Malware Config
C2 Extraction:
154.197.33.29:7000
Verdict:
Malicious
Tags:
phishing
YARA:
n/a
Link:
https://app.threat.zone/submission/4eefb021-6d66-4609-943a-b4922f501274
Unpacked files
SH256 hash:
8a10eec1f7fd5b66ad2095eaa8481e9bfd6669033af3233c4bfeaf5a1de9ff3a
MD5 hash:
969919f2af5a252f60c1869e0d25553a
SHA1 hash:
1cc1cd3c2af9574375070045775ca47a458169dd
Link:
https://www.unpac.me/results/8af027fb-c7f3-459a-9ead-63a70d672d7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a10eec1f7fd5b66ad2095eaa8481e9bfd6669033af3233c4bfeaf5a1de9ff3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:Detect_Zoom_Invite_malware_RAT_C2
Create hunting rule
Author:daniyyell
Description:Detects Zoom Invite Call Leading to Malware Hosted in Telegram C2
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Scheduled_Tasks_Create_From_Susp_Dir
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments