MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab782f75957f3a4e4a398f170f5d41c592d2f8ca135bda12875b994944e78ab2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RustyStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 21 File information Comments

SHA256 hash: ab782f75957f3a4e4a398f170f5d41c592d2f8ca135bda12875b994944e78ab2
SHA3-384 hash: 0b4199cb29cae370b6eb783405da591b7fbb58a28ba9e033def7bb3d7066e022049ef05473a42c47de694e57ed50ac98
SHA1 hash: da1704cfbae51d5ae66f214596e1462fc8878d87
MD5 hash: 9062fd38a3c4505e53941ca086bc777c
humanhash: blossom-eleven-west-nebraska
File name:ab782f75957f3a4e4a398f170f5d41c592d2f8ca135bda12875b994944e78ab2
Download: download sample
Signature RustyStealer
File size:7'987'712 bytes
First seen:2026-07-14 13:31:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0fcd0b0c9f2103055a1bd05bf71f2565 (1 x RustyStealer)
ssdeep 49152:pVZPDexk6G0LmFQvY8aIdRNGPBuDqKrKB6LIooGTlGeU+P3h1MujN4HkbuYAgt9i:LlDewavYJwM749vE595zAoH5u
TLSH T158865B11BA5A58ECC05AC47482464A63AA3134DB0B35BAFF45C486783FAAFF55F3C718
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter Threatray
Tags:exe GajendraStealer RustyStealer stealer

Intelligence


File Origin
# of uploads :
1
# of downloads :
164
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
99.9%
Tags:
infosteal shell sage hype
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Running batch commands
Creating a file
Creating a process from a recently created file
Launching a process
DNS request
Connection attempt
Sending an HTTP GET request
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Verdict:
malicious
Label(s):
gajendrastealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Behaviour
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Executes dropped EXE
Unpacked files
SH256 hash:
ab782f75957f3a4e4a398f170f5d41c592d2f8ca135bda12875b994944e78ab2
MD5 hash:
9062fd38a3c4505e53941ca086bc777c
SHA1 hash:
da1704cfbae51d5ae66f214596e1462fc8878d87
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Rule name:CMD_Ping_Localhost
Rule name:CMD_Shutdown
Author:adm1n_usa32
Rule name:command_and_control
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pe_detect_tls_callbacks
Rule name:ProgramLanguage_Rust
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rustyloader_mem_loose
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments