MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c50ee0a951654d8e327db3619e01def1a99bb68cb6151412718db27cb0c74a3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c50ee0a951654d8e327db3619e01def1a99bb68cb6151412718db27cb0c74a3c
SHA3-384 hash: f5c036b12008a7816d2460c52c6a2096780ccb4893d977fd731cbdd4ef4d39d6a85f369f2adf284057ee1509a1bf31df
SHA1 hash: 4be315a3be3406cd58be86410dede0bab19973a5
MD5 hash: 57bad85b357231aa14a8e13d24eb4e46
humanhash: lake-crazy-pasta-diet
File name:vibrantconfig.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:998'912 bytes
First seen:2025-11-02 15:23:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a7c3086234c79a6b9ff1bf173fc5752 (1 x RustyStealer)
ssdeep 24576:E7aZaU8oIOq6Y2AWcqJPGowLJTjPYN4h:6YaU8oxqs3JGoZ4h
TLSH T1DE25E0117A7495FAE66BC07971014A129F76BC820720FEAF1694B46C3E7BEF45E2CB10
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:exe hkdk-events vidar


Avatar
iamaachum
Vidar C2:
https://sgp.null-squad.com/
https://telegram.me/sc0lers
https://de.atlantaoralandfacialsurgery.com/
https://steamcommunity.com/profiles/76561198776306228
https://de.tweethost.com/

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
AtlasBrowser_x64.7z
Verdict:
Malicious activity
Analysis date:
2025-11-01 22:43:35 UTC
Tags:
arch-scr arch-doc arch-html anti-evasion evasion pastebin auto rustystealer stealer python generic xor-url rust telegram stealc vidar
Link:
https://app.any.run/tasks/e64c2b36-e6ce-478b-a66b-af9ab6b0e10f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35016/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6907777d9942f1282ecb756e
Tags:
emotet cobalt
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Behavior that indicates a threat
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/690777a3de25fddba0615d42/reports/2c020d73-9672-4c02-a66f-ab7f26911228/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/c50ee0a951654d8e327db3619e01def1a99bb68cb6151412718db27cb0c74a3c
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-01T08:33:00Z UTC
Last seen:
2025-11-03T07:31:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win64.Agent.yc
Link:
https://opentip.kaspersky.com/c50ee0a951654d8e327db3619e01def1a99bb68cb6151412718db27cb0c74a3c/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/873d5c5b-b4c3-4eae-8737-645e7bca46e7
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1806562
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1806562 Sample: vibrantconfig.exe Startdate: 02/11/2025 Architecture: WINDOWS Score: 100 28 sgp.null-squad.com 2->28 30 www.google.com 2->30 32 ogads-pa.clients6.google.com 2->32 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 3 other signatures 2->58 8 vibrantconfig.exe 16 2->8         started        signatures3 process4 dnsIp5 48 sgp.null-squad.com 5.223.60.50, 443, 49690, 49691 MCCI-ASIR Iran (ISLAMIC Republic Of) 8->48 60 Contains functionality to inject threads in other processes 8->60 62 Tries to harvest and steal browser information (history, passwords, etc) 8->62 64 Writes to foreign memory regions 8->64 66 5 other signatures 8->66 12 chrome.exe 1 8->12         started        15 chrome.exe 1 8->15         started        17 chrome.exe 1 8->17         started        signatures6 process7 dnsIp8 50 192.168.2.5, 138, 443, 49517 unknown unknown 12->50 19 chrome.exe 12->19         started        22 chrome.exe 12->22         started        24 chrome.exe 15->24         started        26 chrome.exe 17->26         started        process9 dnsIp10 34 www.google.com 142.250.217.100, 443, 49708, 49711 GOOGLEUS United States 19->34 36 plus.l.google.com 142.250.73.78, 443, 49720 GOOGLEUS United States 19->36 42 3 other IPs or domains 19->42 38 142.250.73.100, 443, 49746, 49750 GOOGLEUS United States 24->38 44 2 other IPs or domains 24->44 40 142.251.33.68, 443, 49732, 49733 GOOGLEUS United States 26->40 46 2 other IPs or domains 26->46
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c50ee0a951654d8e327db3619e01def1a99bb68cb6151412718db27cb0c74a3c
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/57bad85b357231aa14a8e13d24eb4e46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c50ee0a951654d8e327db3619e01def1a99bb68cb6151412718db27cb0c74a3c/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/c50ee0a951654d8e327db3619e01def1a99bb68cb6151412718db27cb0c74a3c
Threat name:
Win64.Spyware.Vidar
Create hunting rule
Status:
Suspicious
First seen:
2025-11-02 15:24:18 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
13 of 24 (54.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yuhobkkrmvgy4mt5wnqz4ao66guzxnumwykrietrrwzhzmghji6a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251102-ss6ejsaq9x/
Verdict:
Malicious
Tags:
Stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/80853569-0efc-405d-b19e-9fbc64303d06
Unpacked files
SH256 hash:
c50ee0a951654d8e327db3619e01def1a99bb68cb6151412718db27cb0c74a3c
MD5 hash:
57bad85b357231aa14a8e13d24eb4e46
SHA1 hash:
4be315a3be3406cd58be86410dede0bab19973a5
Link:
https://www.unpac.me/results/7c03afdd-cfd5-4b60-a7d7-a1a9a66e5ec9/
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c50ee0a95165/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c50ee0a951654d8e327db3619e01def1a99bb68cb6151412718db27cb0c74a3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe 89952a6dd64305cc5e134e216f5ffe363d8e9c9fc92e2b2434c7cce60229de12

RustyStealer

Executable exe c50ee0a951654d8e327db3619e01def1a99bb68cb6151412718db27cb0c74a3c

(this sample)

  
Link
https://tria.ge/251102-sf8n5saq31/behavioral2
  
Dropped by
SHA256 89952a6dd64305cc5e134e216f5ffe363d8e9c9fc92e2b2434c7cce60229de12
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/35016/
  
Dropped by
MD5 74f0c36a71538d521613ad08870ad309

Comments