MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d25b3604e58a4acd3f92c13129772e13dbd5f993ed79ded350b37343646b979. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d25b3604e58a4acd3f92c13129772e13dbd5f993ed79ded350b37343646b979
SHA3-384 hash: 748ea2823addd83706f8ef1201059da1775657cd7a448e0b728b4354c7f38304f601bbf6ca9f8d491d0d7889eccc1efb
SHA1 hash: 359e3f7e762fa43329446d8c6667ce02cafb11fe
MD5 hash: 7f75b75909a7eea973d53e581d422a9f
humanhash: lake-alaska-three-mississippi
File name:7f75b75909a7eea973d53e581d422a9f
Download: download sample
Signature RustyStealer
Create hunting rule
File size:386'560 bytes
First seen:2021-11-21 13:20:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 51d7433aa5fd2866c12ae6c958725646 (1 x RustyStealer)
ssdeep 6144:nuRV7G+126mAFNXhw6qu3wzIkS1E5cQ0NvNJ73AyIf6T92soF0tt16vJDG7ZfAc0:nuT7G+128EQvNJ73AyIA92sAg+
Threatray 4 similar samples on MalwareBazaar
TLSH T18C843B07F29150E8D02AD47443576532FA727C498722BEEB27E46A312E71FD06B3EB49
Reporter zbetcheckin
Tags:exe RustyStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b2e8ee5630cfbf9c640e1e6c80dfba96
Verdict:
Malicious activity
Analysis date:
2021-11-21 11:24:47 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/b8926d7d-3a4f-4939-b267-a0c948dfe329

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Dropper.ClipBanker-9906314-0
Create hunting rule

Win.Dropper.ClipBanker-9906315-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
anti-debug clipbanker monero powershell razy
Link:
https://www.filescan.io/uploads/619a47bfdd04e7d00e00de22/reports/1366c728-fe1a-450a-ad6a-447934ab6358/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/abc20da3-6604-4589-a473-e6b33c8f017f
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/893286
Signature
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525759 Sample: aKAZabDL3G Startdate: 21/11/2021 Architecture: WINDOWS Score: 68 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected MicroClip 2->29 7 aKAZabDL3G.exe 4 2->7         started        10 RuntimeBroker.exe 2 2->10         started        process3 file4 23 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32+ 7->23 dropped 13 cmd.exe 1 7->13         started        33 Multi AV Scanner detection for dropped file 10->33 15 WerFault.exe 3 10 10->15         started        signatures5 process6 process7 17 powershell.exe 14 15 13->17         started        21 conhost.exe 13->21         started        dnsIp8 25 iplogger.org 5.9.162.45, 443, 49721 HETZNER-ASDE Germany 17->25 31 May check the online IP address of the machine 17->31 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d25b3604e58a4acd3f92c13129772e13dbd5f993ed79ded350b37343646b979/
Threat name:
Win64.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 15:19:51 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
81d0fa573d62f82c6d90109d45b923ba28d40a628a03d9d6d1ad46dd69b43f07
RustyStealer
d7322d2705ab994d8769ca74cb6e109018d07afd764393ad89354d8ee98da914
RustyStealer
dc050b963c642e86bf74da5e85fbfcb0b3c12bd692808bf8ae12a36f4bcf3c84
RustyStealer
fca3a8527a1f895a5aa06d5cec9ba6be6644ae8ba144a0f3be590f4c4e761cfe
RustyStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211121-qlm9aaghe5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Blocklisted process makes network request
Unpacked files
SH256 hash:
9d25b3604e58a4acd3f92c13129772e13dbd5f993ed79ded350b37343646b979
MD5 hash:
7f75b75909a7eea973d53e581d422a9f
SHA1 hash:
359e3f7e762fa43329446d8c6667ce02cafb11fe
Link:
https://www.unpac.me/results/1cd1f707-c5ba-4407-92e3-3b33915de69a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d25b3604e58a4acd3f92c13129772e13dbd5f993ed79ded350b37343646b979

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 9d25b3604e58a4acd3f92c13129772e13dbd5f993ed79ded350b37343646b979

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1803216/
Cape
Cape
https://www.capesandbox.com/analysis/207893/
  
URLhaus
https://urlhaus.abuse.ch/url/1803222/

Comments


Avatar
zbet commented on 2021-11-21 13:20:28 UTC

url : hxxp://f0600380.xsph.ru/ff.exe