MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1fbc4f422bb21364b7e14cfd84bfd231fa21c7e36e3607aadd6ec0b342dd2a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1fbc4f422bb21364b7e14cfd84bfd231fa21c7e36e3607aadd6ec0b342dd2a2
SHA3-384 hash: dbca526ba80e826660089651359cbd45df890dd985ea9917391c6a87c8b522df96f3566b5ae660c95ebf3c99078086fe
SHA1 hash: f2c8335825bca42db735ac11e9c50e16300ebd36
MD5 hash: efbae8d7bd809f1df3a00d44bca3143c
humanhash: mars-oklahoma-bacon-william
File name:NetworkLabsAu.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:1'031'168 bytes
First seen:2025-10-28 17:23:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af6bd3a1591af995ace7bdc58ad3a061 (1 x RustyStealer)
ssdeep 12288:Ak8BBB5i1a+Teh/bRZwelws09MhgSUpCNk3iMylts3HYZHjxTvfn1n4aLseFHMpE:AkqBUa+TehFZFQCyyl6HYLrRFcMwPzy
Threatray 1 similar samples on MalwareBazaar
TLSH T10B25F132BCF350B5C05651334825C66DE3E99CBACF418AEBD2968969CD65FE0C63221F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter GDHJDSYDH1
Tags:backdoor exe RustyStealer stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NetworkLabsAu.exe
Verdict:
No threats detected
Analysis date:
2025-10-28 17:19:23 UTC
Tags:
rust
Link:
https://app.any.run/tasks/67b8b02d-95e2-404c-842b-c02ac6e57a97

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AuraStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34532/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6900fb1a706befaf4ec9bb5c
Tags:
shellcode rasteal overt virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
DNS request
Sending a custom TCP request
Connection attempt to an infection source
Reading critical registry keys
Creating a window
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/c1fbc4f422bb21364b7e14cfd84bfd231fa21c7e36e3607aadd6ec0b342dd2a2
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-26T23:42:00Z UTC
Last seen:
2025-10-28T11:40:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Aur.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Aur.u VHO:Trojan-PSW.Win32.Convagent.gen
Link:
https://opentip.kaspersky.com/c1fbc4f422bb21364b7e14cfd84bfd231fa21c7e36e3607aadd6ec0b342dd2a2/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6fd72d0e-e7fe-4d94-be86-0c98b598ea01
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c1fbc4f422bb21364b7e14cfd84bfd231fa21c7e36e3607aadd6ec0b342dd2a2
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/efbae8d7bd809f1df3a00d44bca3143c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1fbc4f422bb21364b7e14cfd84bfd231fa21c7e36e3607aadd6ec0b342dd2a2/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Aur
Link:
https://tip.neiki.dev/file/c1fbc4f422bb21364b7e14cfd84bfd231fa21c7e36e3607aadd6ec0b342dd2a2
Threat name:
Win32.Spyware.Aurastealer
Create hunting rule
Status:
Suspicious
First seen:
2025-10-28 16:18:00 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
16 of 36 (44.44%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yh54j5bcxmqtms36cth5qs75emp2ehd6g3rwa6vn23wawnbn2kra._file
Verdict:
malicious
Label(s):
aurastealer
Create hunting rule
Similar samples:
c5b354aaab3d4ea94aeabe412b09b9b9ec6ce0a76462cab89eeb27539bef00e9
RustyStealer
error
RustyStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/251028-vyvw4shx5f/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/74664a09-b31b-447b-97aa-98d56a0769d6
Unpacked files
SH256 hash:
c1fbc4f422bb21364b7e14cfd84bfd231fa21c7e36e3607aadd6ec0b342dd2a2
MD5 hash:
efbae8d7bd809f1df3a00d44bca3143c
SHA1 hash:
f2c8335825bca42db735ac11e9c50e16300ebd36
Link:
https://www.unpac.me/results/64394d31-6c46-47cc-b30b-d15d4cd0755e/
Malware family:
AuraStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1fbc4f422bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1fbc4f422bb21364b7e14cfd84bfd231fa21c7e36e3607aadd6ec0b342dd2a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 8acfc35ce2d1e0ae44a9a322eccb42f82e8ffa0152ac19695442dca800367844

RustyStealer

Executable exe c1fbc4f422bb21364b7e14cfd84bfd231fa21c7e36e3607aadd6ec0b342dd2a2

(this sample)

anyrun
any.run
https://app.any.run/tasks/6b2035ba-88c8-41c2-be4c-6552d48d3f7e
  
Link
https://hybrid-analysis.com/sample/c1fbc4f422bb21364b7e14cfd84bfd231fa21c7e36e3607aadd6ec0b342dd2a2/6900fb233fa2e0982e054ec4
  
Dropped by
SHA256 8acfc35ce2d1e0ae44a9a322eccb42f82e8ffa0152ac19695442dca800367844
  
Dropped by
RustyStealer
  
Delivery method
Distributed via drive-by
  
Dropped by
MD5 064b24fe26d0b13ab66aec35042ad5d7
Cape
Cape
https://www.capesandbox.com/analysis/34532/

Comments