MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689
SHA3-384 hash: 9c8039ac19d5d7be7aee01fde19563160886287be733005f74e52b6af1344a4987d5661d07163171dfc4b4cb909ad53b
SHA1 hash: f6e763fe3073285b34ac415179f42ae70c427cf7
MD5 hash: 4a3468cd21c3dd03fab5000f3d3d06c4
humanhash: robin-lamp-bakerloo-eighteen
File name:Setup.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:12'637'744 bytes
First seen:2024-07-23 19:17:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 393216:EV44DZhVUOvWqkx4pNOK/1nm4QGsf6rqNwT:ozvWqkxk1nm4QGsaT
TLSH T193D6F122F6C2D47BC1550278055EB3AD56BFAE301F228AD3B79476ACAE301F01E79617
TrID 45.4% (.EXE) Inno Setup installer (107240/4/30)
24.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
17.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon e9e2eae6b696c6ec (11 x LummaStealer, 4 x Vidar, 2 x FickerStealer)
Reporter aachum
Tags:exe RustyStealer


Avatar
iamaachum
https://et464sqn.click/?sessionId=53f5805723488f47571ef2dcba86cb72&q=1&hash8=669ffb15151f6&t=16&s=IObit+Uninstaller+Pro+Key+13.5+Crack+++License+Key+2024+\[Free\] => https://mega.nz/file/bexgSB5J#yCYwzSpUCD-aDb7YLs5VnamV7T5YJqiiIKVYf6zA2Qs

Lumma C2:
https://enormousseop.shop/api
https://unseaffarignsk.shop/api
https://shepherdlyopzc.shop/api
https://upknittsoappz.shop/api
https://liernessfornicsa.shop/api
https://outpointsozp.shop/api
https://callosallsaospz.shop/api
https://lariatedzugspd.shop/api
https://indexterityszcoxp.shop/api
Amadey C2:
http://brasseriehub.com/h9fmdW5/index.php
http://brasseriehub2.com/h9fmdW6/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2024-07-23 19:09:15 UTC
Tags:
lumma stealer amadey botnet
Link:
https://app.any.run/tasks/7665da37-b048-42a9-87d5-6046ab51722b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a001eca97e13ad9de7937b
Tags:
Execution Generic Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Moving a recently created file
Moving a file to the %temp% subdirectory
Creating a file in the %AppData% subdirectories
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi explorer fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/66a001ecdfa8b2fced4d8ec0/reports/21b942e7-4e43-4cef-a9dc-fc406a7c7f96/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd69fb0a-fc47-4a95-aa5e-08df32fd3aab
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1479630
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
LummaC encrypted strings found
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1479630 Sample: Setup.exe Startdate: 23/07/2024 Architecture: WINDOWS Score: 100 87 Found malware configuration 2->87 89 Antivirus detection for dropped file 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 4 other signatures 2->93 12 Setup.exe 2 2->12         started        process3 file4 79 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 12->79 dropped 15 Setup.tmp 3 5 12->15         started        process5 file6 83 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 15->83 dropped 85 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->85 dropped 18 Setup.exe 2 15->18         started        process7 file8 49 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 18->49 dropped 21 Setup.tmp 5 8 18->21         started        process9 file10 55 C:\Users\user\AppData\Local\...\is-42VE3.tmp, PE32 21->55 dropped 57 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 21->57 dropped 59 C:\Users\user\...\DuetUpdater.exe (copy), PE32 21->59 dropped 61 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->61 dropped 24 IDRBackup.exe 12 21->24         started        28 DuetUpdater.exe 13 21->28         started        process11 file12 63 C:\Users\user\AppData\Roaming\...\vclx120.bpl, PE32 24->63 dropped 65 C:\Users\user\AppData\Roaming\...\vcl120.bpl, PE32 24->65 dropped 67 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 24->67 dropped 75 6 other malicious files 24->75 dropped 103 Switches to a custom stack to bypass stack traces 24->103 30 IDRBackup.exe 3 24->30         started        69 C:\Users\user\AppData\Local\...\vclx120.bpl, PE32 28->69 dropped 71 C:\Users\user\AppData\Local\...\vcl120.bpl, PE32 28->71 dropped 73 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 28->73 dropped 77 6 other malicious files 28->77 dropped 34 conhost.exe 28->34         started        signatures13 process14 file15 81 C:\Users\user\AppData\Roamingbehaviorgraphnr\...\Bt.exe, PE32 30->81 dropped 109 Maps a DLL or memory area into another process 30->109 111 Switches to a custom stack to bypass stack traces 30->111 113 Found direct / indirect Syscall (likely to bypass EDR) 30->113 36 more.com 3 30->36         started        40 Bt.exe 37 30->40         started        42 conhost.exe 34->42         started        signatures16 process17 file18 51 C:\Users\user\AppData\Local\Temp\ghofwax, PE32 36->51 dropped 53 C:\Users\user\AppData\...\SputterPork.pif, PE32 36->53 dropped 95 Drops PE files with a suspicious file extension 36->95 97 Writes to foreign memory regions 36->97 99 Found hidden mapped module (file has been removed from disk) 36->99 101 3 other signatures 36->101 44 SputterPork.pif 1 36->44         started        47 conhost.exe 36->47         started        signatures19 process20 signatures21 105 Switches to a custom stack to bypass stack traces 44->105 107 Found direct / indirect Syscall (likely to bypass EDR) 44->107
Score:
8%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-07-22 23:08:03 UTC
File Type:
PE (Exe)
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6c3wwkdv2iamvvoylh4ufysjttsslvw2ff6qnoa6zdb3efo42eq._file
Verdict:
unknown
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/240723-xzxs7stbjn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Lumma Stealer
Malware Config
C2 Extraction:
https://enormousseop.shop/api
https://unseaffarignsk.shop/api
https://shepherdlyopzc.shop/api
https://upknittsoappz.shop/api
https://liernessfornicsa.shop/api
https://outpointsozp.shop/api
https://callosallsaospz.shop/api
https://lariatedzugspd.shop/api
https://indexterityszcoxp.shop/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a92ca4e7-db91-4377-87ea-ca30557595a8
Unpacked files
SH256 hash:
1ebe2945f564ab2c0568c57592097e73c524fc3fa0f31c7c00ac9db3a7efd136
MD5 hash:
1d0ec3516586f0b77da6372f3a82143d
SHA1 hash:
f6b9703e89aa1f331c670dd291f2c16011979e86
Link:
https://www.unpac.me/results/0755cb2d-969b-4721-8dee-f50c455e4fb1/
SH256 hash:
a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689
MD5 hash:
4a3468cd21c3dd03fab5000f3d3d06c4
SHA1 hash:
f6e763fe3073285b34ac415179f42ae70c427cf7
Detections:
manjusaka_payload_mz
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
Link:
https://www.unpac.me/results/0755cb2d-969b-4721-8dee-f50c455e4fb1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang
Create hunting rule
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689

(this sample)

  
Link
https://tria.ge/240723-xgzvvawapa
anyrun
any.run
https://app.any.run/tasks/7665da37-b048-42a9-87d5-6046ab51722b
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments