MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91e290977590ef22283b1b424bc783bcc4ddaa51d0dd8f84d9900701e2ba0eac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91e290977590ef22283b1b424bc783bcc4ddaa51d0dd8f84d9900701e2ba0eac
SHA3-384 hash: ac01ef5456a6ebbab2569d350e2cee667b1c0ee7db69a18c4a13434d191c4db01bff32eef33f8fdb9e3f61b1dcd0e729
SHA1 hash: 19d63f346508f51056d793d6c097159b9c30896e
MD5 hash: 6fc8601b3c97548e88a32cd71ec0e4f6
humanhash: helium-wolfram-two-quebec
File name:6fc8601b3c97548e88a32cd71ec0e4f6
Download: download sample
Signature RustyStealer
Create hunting rule
File size:9'170'360 bytes
First seen:2023-02-17 12:43:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 74737a1c73116b0c6a3ee2f6399e6458 (5 x RustyStealer)
ssdeep 196608:VFKFhGtRpxYAU6Hk98L09GHDaHNaSzREy7H:VChGB1k9t9GHDaHNd7H
Threatray 1'080 similar samples on MalwareBazaar
TLSH T12496E06B4BA795BBF68B23F3465E8FDD26AA5287D74F39CA41B11E0C1C28B017B401C5
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e686726179b93333 (4 x RustyStealer, 2 x LaplasClipper, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RustyStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6fc8601b3c97548e88a32cd71ec0e4f6
Verdict:
Malicious activity
Analysis date:
2023-02-17 12:45:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e04551d-b16c-4ad8-bfb3-1d5bf05d544c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/367662/
Detection(s):
SecuriteInfo.com.FileRepMalware.19486.12179.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed virus
Link:
https://www.filescan.io/uploads/63ef7694c7a082600e4669c3/reports/e0b08d40-4270-4795-9072-fc7e0e20c870/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/91e290977590ef22283b1b424bc783bcc4ddaa51d0dd8f84d9900701e2ba0eac
Result
Verdict:
MALICIOUS
Malware family:
Titan Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4ba72ad-839e-4626-9779-20a80146efa3
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1177997
Signature
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91e290977590ef22283b1b424bc783bcc4ddaa51d0dd8f84d9900701e2ba0eac/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2023-02-17 12:44:09 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
11 of 25 (44.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=shrjbf3vsdxsekb3dnbexr4dxtcn3ksr2doy7bgzsadqdyv2b2wa._file
Verdict:
malicious
Similar samples:
291003d022e462dc6ece1e0d6cf6a636520060358683596b71623f1c71a539c3
RustyStealer
2a8e2ab611c7ea1a7c4e7b6fd50cef0a812ae4921a66d25106a039c90582ce29
RustyStealer
58b415a4211b4ab0714cb45cfc92cc793c3f6ad8b1413c5f8320cfc77b5d2868
RustyStealer
633ec6bac41a0a36d8ed5cf50392742f1490f3dcbf4c6792efc3b70fbacc2004
RustyStealer
712c853955c56e27e3e4538978fa89018cdc5e5f56944ea0da2fc1a672adc73c
RustyStealer
82d011953a7743aef8d380c46177a5c9c9c56e0d9408f47a11eb7443be912e51
RustyStealer
b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4
RustyStealer
ca4028b174f018a8401ebefb72d595dad12c12a9ee7209d2fc8993c0c25f3c4d
RustyStealer
d994d8264d8511cb16ce67ed790a7896d0dbbe44d36eaffb43643ff34f3dc177
RustyStealer
f896fb8727bf4875b091c1e1f8c20c861e8887a751ebc9922d65e8750c4ed2a8
RustyStealer
+ 1'070 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
bootkit evasion persistence trojan
Link:
https://tria.ge/reports/230217-pygftsfd76/
Behaviour
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
86ffd39f8c53924a25935a4e1667487c2a63c7c8313e4d4f6bb13a9ac742db3b
MD5 hash:
021ec3cc05e073e136aa1d19e199b77c
SHA1 hash:
f386c2997fd05878ee3bb9638550deed6e2cf296
Link:
https://www.unpac.me/results/32fdd499-f856-4fb7-9750-66846b92249a/
SH256 hash:
91e290977590ef22283b1b424bc783bcc4ddaa51d0dd8f84d9900701e2ba0eac
MD5 hash:
6fc8601b3c97548e88a32cd71ec0e4f6
SHA1 hash:
19d63f346508f51056d793d6c097159b9c30896e
Link:
https://www.unpac.me/results/32fdd499-f856-4fb7-9750-66846b92249a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/91e290977590ef22283b1b424bc783bcc4ddaa51d0dd8f84d9900701e2ba0eac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 91e290977590ef22283b1b424bc783bcc4ddaa51d0dd8f84d9900701e2ba0eac

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2542904/
Cape
Cape
https://www.capesandbox.com/analysis/367662/

Comments


Avatar
zbet commented on 2023-02-17 12:43:25 UTC

url : hxxp://79.137.194.203/rlmp32wavr.exe