MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d
SHA3-384 hash: 1a5c4232db642d34228f507ad5d63bded209accea320a26d2452cc4757f510b593cbae1391087311e4acd77c21aeb791
SHA1 hash: 2ffa2d8a5614c6005b12607ae17ce4cc1dd31b81
MD5 hash: 6ee9956e8068fdf5bcb49e7184714040
humanhash: kentucky-massachusetts-leopard-alaska
File name:exewho2.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:14'089'876 bytes
First seen:2023-12-05 14:41:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c33cf717e63113313861a84613b8c8dc (1 x RustyStealer)
ssdeep 98304:9vA/gsknmU5RCrgSRMMnytk03pRrCdZJXXXJKvHunYnNtQsPso7GnmuawijixO9y:9IYOSJ3pRegwiNK
Threatray 1 similar samples on MalwareBazaar
TLSH T147E68D02E9A41A3CD9DBEA74849F63697B713A48C326DFB70935C3711822393EF1E654
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter cyb3rkitties
Tags:exe RustyStealer


Avatar
cyb3rkitties
Attack tool that downloads and executes payloads in memory.

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
US US
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
anti-debug anti-vm anti-vm control expand lolbin overlay whirlpool
Link:
https://www.filescan.io/uploads/656f36be3f60a81034894d79/reports/5f463ff6-4ff6-4950-b1e5-7c3db27bf13a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/959c160b-9bda-4414-87a5-b1e37d42973d
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
4 / 100
Link:
https://www.joesandbox.com/analysis/1353991
Behaviour
Behavior Graph:
n/a
Score:
53%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d/
Threat name:
Win64.Trojan.RustyStealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-05 14:47:39 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
9 of 23 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=unuwpjanz73uybfv3wapdktileszclpy75wlmpauawkdtyenl6gq._file
Verdict:
unknown
Similar samples:
a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d
RustyStealer
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231205-r21d8abf21/
Unpacked files
SH256 hash:
a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d
MD5 hash:
6ee9956e8068fdf5bcb49e7184714040
SHA1 hash:
2ffa2d8a5614c6005b12607ae17ce4cc1dd31b81
Link:
https://www.unpac.me/results/43a03511-a654-4785-ac1f-c71efd33dc00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://github.com/cyb3rkitties/exewho2
  
Link
https://cyb3rkitties.github.io/posts/exewho2-download-execution-payload-red-teaming/
  
Delivery method
Other

Comments