MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b65240ab4b290785dc4433c16ab85ed62847f17a0eda89db58344d26cf76b4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b65240ab4b290785dc4433c16ab85ed62847f17a0eda89db58344d26cf76b4e
SHA3-384 hash: 371a1522b582dda2dd31ab5522d51a23da23a9c48f0c01e02a9ef9717a4f868ca92e5b054a4f8b53b990c0e40e1bebca
SHA1 hash: d896bcbe4e75ee3af67e03a24fb638617857bbed
MD5 hash: bc42a7babac07fa67c213c29cf9e8edf
humanhash: cup-diet-winner-california
File name:bc42a7babac07fa67c213c29cf9e8edf
Download: download sample
Signature RustyStealer
Create hunting rule
File size:10'829'112 bytes
First seen:2023-02-13 00:13:35 UTC
Last seen:2023-02-13 01:33:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 881ebfb4b8b20e1f3b3657fb82622ad3 (5 x RustyStealer, 1 x RedLineStealer)
ssdeep 196608:itPpaOqyCQAuAANu5+j6E6TRH2YguNuoY4XCyEDTzQWkc8LBh7u:8PHdCQAiEcjdPusb4X6/t4X7u
Threatray 84 similar samples on MalwareBazaar
TLSH T1D5B633795D8B18E1EAC72C3C984F6EC770FD02A419A38A1568C59C8E6B7DE70D06BC53
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e686726179b93333 (4 x RustyStealer, 2 x LaplasClipper, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RustyStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bc42a7babac07fa67c213c29cf9e8edf
Verdict:
No threats detected
Analysis date:
2023-02-13 00:19:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0daeb6e0-e801-4bc8-97e6-b94ddd389e40

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/364675/
Detection(s):
SecuriteInfo.com.Variant.Lazy.297172.1834.22545.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/68758/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8b65240ab4b290785dc4433c16ab85ed62847f17a0eda89db58344d26cf76b4e
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/79c0bd4d-4b88-40bb-a308-1a6f848ead81
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1172876
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Sigma detected: Drops script at startup location
Tries to evade analysis by execution special instruction (VM detection)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 805666 Sample: APRCX46VfB.exe Startdate: 13/02/2023 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Laplas Clipper 2->48 50 Sigma detected: Drops script at startup location 2->50 52 Machine Learning detection for sample 2->52 7 APRCX46VfB.exe 5 2->7         started        11 visegame.exe 2->11         started        process3 file4 34 C:\ProgramData\yegihaga\visegame.exe, PE32 7->34 dropped 36 C:\...\visegame.exe:Zone.Identifier, ASCII 7->36 dropped 54 Query firmware table information (likely to detect VMs) 7->54 56 Self deletion via cmd or bat file 7->56 58 Tries to evade analysis by execution special instruction (VM detection) 7->58 13 visegame.exe 7->13         started        16 cmd.exe 1 7->16         started        60 Writes to foreign memory regions 11->60 62 Allocates memory in foreign processes 11->62 64 Injects a PE file into a foreign processes 11->64 18 InstallUtil.exe 11->18         started        21 InstallUtil.exe 11->21         started        23 InstallUtil.exe 11->23         started        signatures5 process6 dnsIp7 66 Antivirus detection for dropped file 13->66 68 Query firmware table information (likely to detect VMs) 13->68 70 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->70 76 5 other signatures 13->76 25 InstallUtil.exe 13->25         started        28 InstallUtil.exe 13->28         started        72 Uses ping.exe to sleep 16->72 74 Uses ping.exe to check the status of other devices and networks 16->74 30 PING.EXE 1 16->30         started        32 conhost.exe 16->32         started        38 192.168.2.1 unknown unknown 18->38 40 nerf-0149-unknown.guru 18->40 signatures8 process9 dnsIp10 42 nerf-0149-unknown.guru 79.137.195.205, 49707, 49708, 80 PSKSET-ASRU Russian Federation 25->42 44 127.0.0.1 unknown unknown 30->44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b65240ab4b290785dc4433c16ab85ed62847f17a0eda89db58344d26cf76b4e/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-02-12 17:41:19 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rnssicvuwkihqxoeim6bnk4f5vrii7yxudw2rhnvqncne3hxnnha._file
Verdict:
malicious
Similar samples:
20ac0c20a2ef71864092cdbcdb32bb637cf76abd2ebfc5b351a6c188b9dfd05d
RustyStealer
58b415a4211b4ab0714cb45cfc92cc793c3f6ad8b1413c5f8320cfc77b5d2868
RustyStealer
788477c79faa2ed3b28f7232f1114b94d513dd643f4d0bcc0441d77a1eab4058
RustyStealer
b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4
RustyStealer
b7e70119bad5c9fcd84035b4b9064911f45f0e95a2ec4a84b0ee10105d541055
RustyStealer
ceb3007d4015dd96043315cd91f6c4ff82da1b206921311c8833d76947e92702
RustyStealer
dc401554533938f33c0c6cf36246e4fc21dc687d2d3f2925bfa9f7d62a2c5fbe
RustyStealer
e5af161ed00bec735dd830bdd0eb3d57aa0df83d75d85684bd5796fbc6565d66
RustyStealer
+ 74 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230213-ajbvgagh3w/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
59fdc8fd9cce95de63e059370e2378f7029807dd08415509ace7ead8e189596d
MD5 hash:
ab01fbd639a62443edc509424286a1fc
SHA1 hash:
5e8fd81f6f34c83733b31e4e3af59d3f835849ec
Link:
https://www.unpac.me/results/d8c7c53f-913c-42a6-a178-e9ef472a53f1/
SH256 hash:
8b65240ab4b290785dc4433c16ab85ed62847f17a0eda89db58344d26cf76b4e
MD5 hash:
bc42a7babac07fa67c213c29cf9e8edf
SHA1 hash:
d896bcbe4e75ee3af67e03a24fb638617857bbed
Link:
https://www.unpac.me/results/d8c7c53f-913c-42a6-a178-e9ef472a53f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8b65240ab4b290785dc4433c16ab85ed62847f17a0eda89db58344d26cf76b4e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 8b65240ab4b290785dc4433c16ab85ed62847f17a0eda89db58344d26cf76b4e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2535627/
  
URLhaus
https://urlhaus.abuse.ch/url/2538201/
Cape
Cape
https://www.capesandbox.com/analysis/364675/
  
URLhaus
https://urlhaus.abuse.ch/url/2539011/

Comments


Avatar
zbet commented on 2023-02-13 00:13:38 UTC

url : hxxp://95.216.143.153/rlmp32waveu.exe