MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a644caa3a8987c99db378b31626c803d46441ffa2f5b59ab082d127bef809774. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RustyStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	a644caa3a8987c99db378b31626c803d46441ffa2f5b59ab082d127bef809774
SHA3-384 hash:	0b29ba814283a561b6d6504588c61a2250a31c8c22c92fe9a68300bb73c552188ff33c5be47d473d112803b7d6a6890e
SHA1 hash:	6a8452524ac24759f8b267b99858ca20ac9d614c
MD5 hash:	2943100ca3c58044cb6b26950fae1c1d
humanhash:	hot-uncle-idaho-saturn
File name:	exterial.exe
Download:	download sample
Signature	RustyStealer Create hunting rule
File size:	32'621'056 bytes
First seen:	2026-05-26 17:55:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0bc1b1e557f4a4387777840b7c7925ef (2 x RustyStealer)
ssdeep	393216:QzjNdVptojz5R4hWCs5iYCOLYgCig8sQeNut5AVnDii6Ss1DT9SfhVEBhz:qjNT7ojzIWCahDLBtVbD1DT9SfhMhz
Threatray	223 similar samples on MalwareBazaar
TLSH	T1A967F158020CE388785F4636F3D4F83FF2DC25993776E8A9BC39D1DAA412285D2B9587
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	burger
Tags:	exe RustyStealer

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

exterial.exe

Verdict:

No threats detected

Analysis date:

2026-05-26 17:55:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/030e68ea-811b-4964-98d5-8327cc1fdf97

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a15de735d76862ef947fe18

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Reading critical registry keys

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Unauthorized injection to a recently created process

Query of malicious DNS domain

Connection attempt to an infection source

Sending a TCP request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6a15dea977463968d6160917/reports/d5b8b386-cfd8-40a4-8385-d3f081e3fad1/overview

Verdict:

Malicious

Labled as:

Whisperer.1.Generic

Link:

https://www.hybrid-analysis.com/sample/a644caa3a8987c99db378b31626c803d46441ffa2f5b59ab082d127bef809774

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-05-26T15:02:00Z UTC

Last seen:

2026-05-26T18:48:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Stealer.HTTP.C&C Trojan-Dropper.Win64.Agent.sb PDM:Trojan.Win32.Generic Trojan.Win32.Inject.sb Trojan-PSW.Win64.Stealer.aufi Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb

Link:

https://opentip.kaspersky.com/a644caa3a8987c99db378b31626c803d46441ffa2f5b59ab082d127bef809774/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1918861

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found direct / indirect Syscall (likely to bypass EDR)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a644caa3a8987c99db378b31626c803d46441ffa2f5b59ab082d127bef809774

Gathering data

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/a644caa3a8987c99db378b31626c803d46441ffa2f5b59ab082d127bef809774

Threat name:

Win64.Spyware.Rustystealer

Status:

Malicious

First seen:

2026-05-26 17:55:05 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 23 (65.22%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uzcmvi5itb6jtwzxrmywe3eahvdeih72f5nvtkyifujhx34as52a._file

Verdict:

malicious

Label(s):

nwhstealer

RustyStealer

2e9338feb1b56d1da46cddc5013570812236b9ea5f860d16f8d1c18ac08d7945

RustyStealer

3e746b1b5b1836adc70ce7ed8bcd08e997c817c30ac2a8ee25187e62c403dda5

RustyStealer

4920f87d77a06d39793db7f6badae775702facb6bf848ef2f2868a2e022911b3

RustyStealer

656c6585eed987efb12836b59447f9fce7dc4399f63c95427c05fbff3cb52bba

RustyStealer

dd2e5de5a6d9a4e2c482850ce0cb8aaa0e2f7a69352b0d53a893ffe4079f2008

RustyStealer

ded1fef0fd446ee7b8586d1acdabe633dc3968480eacd6bd8f097cd25c3dcc8a

RustyStealer

error

RustyStealer

+ 213 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/260526-whxansav5t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a644caa3a8987c99db378b31626c803d46441ffa2f5b59ab082d127bef809774

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample