MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fbae971ce5aae1971daaecdd459e7a49b8c5a2e54bf66ffbf8fed01126cd966. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RustyStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments

SHA256 hash:	9fbae971ce5aae1971daaecdd459e7a49b8c5a2e54bf66ffbf8fed01126cd966
SHA3-384 hash:	5a0d9b3c6c7ee582f58fe78631afb7d60bba45d586fc02f08d018cd2dd5ca85a6d0fb33d208ffab35e874b08734aa5d7
SHA1 hash:	664460629159a4d63374eda143a3b401b84c13e4
MD5 hash:	217ee1a220464424dc8225f5cbf41458
humanhash:	north-apart-bakerloo-butter
File name:	SecuriteInfo.com.Win32.MalwareX-gen.16855847
Download:	download sample
Signature	RustyStealer Create hunting rule
File size:	6'064'968 bytes
First seen:	2025-09-15 15:19:51 UTC
Last seen:	2025-09-16 04:10:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ebfcafca4943e1084db2c03154f3d02d (1 x RustyStealer)
ssdeep	98304:9ndOdFlSwW+W2JT1VOazg+EfezR1BfQ0fyZOtmzUrZVKVUub0KOiVz8l9Z+TpcfZ:9nAFlJW+W2JT1VtgmV1B40quwuZEVUqY
TLSH	T13D562371B72280E7D80561B5501FE3284E669BA8A3C188FF43C4ADF82EF46D1AD3557E
TrID	39.5% (.EXE) InstallShield setup (43053/19/16) 28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.6% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe RustyStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

http://178.16.54.200/download.php

Verdict:

Malicious activity

Analysis date:

2025-09-15 14:55:27 UTC

Tags:

loader amadey lumma stealer botnet auto redline credentialflusher payload stealc

Link:

https://app.any.run/tasks/f05b2e68-1eeb-49d2-a411-f0b7ea0beab8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PCRat

Link:

https://www.capesandbox.com/analysis/27570/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68c82ef1e579c633a4b5686c

Tags:

cobalt emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Sending a custom TCP request

Creating a file in the Program Files subdirectories

Creating a process from a recently created file

Moving a file to the Program Files subdirectory

Creating a file in the Windows directory

DNS request

Creating a process with a hidden window

Creating a window

Creating a file

Connection attempt

Searching for synchronization primitives

Enabling autorun

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/9fbae971ce5aae1971daaecdd459e7a49b8c5a2e54bf66ffbf8fed01126cd966

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-15T11:58:00Z UTC

Last seen:

2025-09-15T11:58:00Z UTC

Hits:

~100

Detections:

Trojan-Downloader.Win32.Gomal.sb Backdoor.Win32.Farfli HEUR:HackTool.Win64.NoDefender.a HEUR:Backdoor.Win32.Androm.gen Trojan-Spy.Win64.Agent.sb Backdoor.Win32.Zegost Backdoor.Win32.Farfli.sb Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Lotok.sbc Backdoor.Win32.Androm VHO:Backdoor.Win32.Convagent.gen Trojan-Spy.Win32.Agent

Link:

https://opentip.kaspersky.com/9fbae971ce5aae1971daaecdd459e7a49b8c5a2e54bf66ffbf8fed01126cd966/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2ddfe4be-5a00-4ed2-a844-8e5d5aaef58c

Score:

66%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/9fbae971ce5aae1971daaecdd459e7a49b8c5a2e54bf66ffbf8fed01126cd966

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9fbae971ce5aae1971daaecdd459e7a49b8c5a2e54bf66ffbf8fed01126cd966/

Verdict:

Malicious

Threat:

Family.PURPLEFOX

Link:

https://tip.neiki.dev/file/9fbae971ce5aae1971daaecdd459e7a49b8c5a2e54bf66ffbf8fed01126cd966

Threat name:

Win32.Trojan.Amadey

Status:

Suspicious

First seen:

2025-09-15 15:11:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t65os4oolkxbs4o2v3g5iwphusnyywroks7wn757r7wqcetm3fta._file

Result

Malware family:

purplefox

Score:

10/10

Tags:

family:purplefox discovery persistence rootkit trojan

Link:

https://tria.ge/reports/250915-sralgszmt8/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Enumerates connected drives

Executes dropped EXE

Detect PurpleFox Rootkit

Modifies WinLogon for persistence

PurpleFox

Purplefox family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e9cade99-3df0-46d4-948c-047572098937

Unpacked files

SH256 hash:

9fbae971ce5aae1971daaecdd459e7a49b8c5a2e54bf66ffbf8fed01126cd966

MD5 hash:

217ee1a220464424dc8225f5cbf41458

SHA1 hash:

664460629159a4d63374eda143a3b401b84c13e4

Link:

https://www.unpac.me/results/83229e31-7ce3-4206-9209-ffae020ae8b8/

SH256 hash:

06654d17334fa342f62d42bd805c8bc6da8105612d9ff45c45b8f092a7c46e17

MD5 hash:

0fe04f5747f21419bc96e130b2068238

SHA1 hash:

558279fe10e5dc98419c3d7e138a569e7ca59011

Link:

https://www.unpac.me/results/83229e31-7ce3-4206-9209-ffae020ae8b8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9fbae971ce5a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9fbae971ce5aae1971daaecdd459e7a49b8c5a2e54bf66ffbf8fed01126cd966

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings