MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1
SHA3-384 hash: c2a0dafd834768164f25fefb97c0f8d23adb7985080a571c3adbbaa6b0055a2bd892442677ef0070b4f0e6a244b59659
SHA1 hash: 6d702fe228a47e01198fee387a2baecacac706f8
MD5 hash: f2b790302bfb0e7f97f36a387eaeb227
humanhash: yankee-bacon-don-ohio
File name:Setup.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:889'856 bytes
First seen:2025-09-06 17:24:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e5a7688a7a1246c8f803d1495445341d (1 x RustyStealer)
ssdeep 12288:z+R+rU7N7Jd+Lyh+YkH1dVy4aAvOYxc929L22A5XXCKoSLd4Mb:KRRN71+Ysoo9i2A1X/6Mb
Threatray 24 similar samples on MalwareBazaar
TLSH T129152827E3149CB8F195A07570C14727E1A2B89207D016F7D59C21E90F3BDEA3AFA2B4
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:cobyrose-com exe SmokeLoader


Avatar
iamaachum
https://hitmeup.space/?p=1085&enHash=3Z6vlNGO6oOI => https://mega.nz/file/VVM3zAiQ#vNErHe28eawffN3LYPfgOHNbCdZbz4qvPMUa02Svycw

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://liquis.in/aaamd/game.exe
Verdict:
Malicious activity
Analysis date:
2025-09-03 18:55:39 UTC
Tags:
rust loader smokeloader
Link:
https://app.any.run/tasks/d7883582-e258-4ddc-ba6c-d6eb08b3e6c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26012/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bc6e8e3e988eb6ab843742
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm masquerade microsoft_visual_cc obfuscated obfuscated packed packed packer_detected threat
Link:
https://www.filescan.io/uploads/68bc6e9637c25fcf12d5c283/reports/3ea06df2-6525-4217-9e61-6a8ecbfcc9a8/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-04T15:47:00Z UTC
Last seen:
2025-09-04T15:47:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7f510a1d-dfb2-4bf8-ab62-31745c4ac109
Result
Threat name:
Clipboard Hijacker, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772394
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Delayed program exit found
Downloads files with wrong headers with respect to MIME Content-Type
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1772394 Sample: Setup.exe Startdate: 06/09/2025 Architecture: WINDOWS Score: 100 42 voando26.com 2->42 44 skinsmonkey.richscents2u.com 2->44 46 2 other IPs or domains 2->46 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 12 other signatures 2->62 10 Setup.exe 2->10         started        13 cgvugbj 2->13         started        signatures3 process4 signatures5 80 Contains functionality to inject code into remote processes 10->80 82 Writes to foreign memory regions 10->82 84 Allocates memory in foreign processes 10->84 86 Injects a PE file into a foreign processes 10->86 15 dllhost.exe 10->15         started        process6 signatures7 88 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->88 90 Maps a DLL or memory area into another process 15->90 92 Creates a thread in another existing process (thread injection) 15->92 94 Switches to a custom stack to bypass stack traces 15->94 18 explorer.exe 38 9 15->18 injected process8 dnsIp9 48 skinsmonkey.richscents2u.com 51.79.180.17, 443, 49693 OVHFR Canada 18->48 50 cobyrose.com 185.78.76.81, 49689, 80 MaxihostLTDABR Poland 18->50 52 2 other IPs or domains 18->52 34 C:\Users\user\AppData\Roaming\cgvugbj, PE32 18->34 dropped 36 C:\Users\user\AppData\Local\Temp\F69B.exe, PE32 18->36 dropped 38 C:\Users\user\AppData\Local\Temp\C3A4.exe, PE32 18->38 dropped 64 System process connects to network (likely due to code injection or exploit) 18->64 66 Benign windows process drops PE files 18->66 23 C3A4.exe 4 18->23         started        27 F69B.exe 18->27         started        30 SmartClock.exe 18->30         started        file10 signatures11 process12 dnsIp13 40 C:\Users\user\AppData\...\SmartClock.exe, PE32 23->40 dropped 68 Antivirus detection for dropped file 23->68 70 Multi AV Scanner detection for dropped file 23->70 72 Delayed program exit found 23->72 32 SmartClock.exe 23->32         started        54 voando26.com 134.209.165.152, 443, 49694, 49695 DIGITALOCEAN-ASNUS United States 27->54 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->74 76 Query firmware table information (likely to detect VMs) 27->76 78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->78 file14 signatures15 process16
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/f2b790302bfb0e7f97f36a387eaeb227
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-05 10:22:12 UTC
File Type:
PE+ (Exe)
Extracted files:
48
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xra7q352565anqp2msem6mzpaciulda4a3nx67v4zytgpv5qhyq._file
Verdict:
malicious
Label(s):
unc_loader_051
Create hunting rule
pitou
Create hunting rule
lummastealer
Create hunting rule
unc_loader_058
Create hunting rule
smokeloader
Create hunting rule
Similar samples:
0a972a87865a5cdece1bffd569721c845b7ca0a520b227978624705bc8e6a52f
RustyStealer
4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5
RustyStealer
4fb901198759e576ee8fb73510eddcf802091166f227af43b5903742079a2c8f
RustyStealer
62274f044b7407f18bcec4712d6de71076213915f9e4a95c5363436c5f8ebb22
RustyStealer
99a80e2177e257e5ac1509453aaf175a748177861756d3bbe67df660148f9614
RustyStealer
9dd11cef91d0ff03900e69e0c2a9bec6ea80233fea7c98a8abef3287d35cea11
RustyStealer
cd385e78225757bc6032c670edb25fca7fc51110454a8c0da3ae1c2b28bc2464
RustyStealer
d7ab100eec217ae7edde5ad39ec0775e7ebca760ed758c63c412a6253de6a9d5
RustyStealer
error
RustyStealer
f5e2512b17a41303dda15f6cdebcf5b7a3c78e9d8a758422ed7b8261bd6f6db1
RustyStealer
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/250906-vzhyyabr5z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d75b6e32-f97d-420d-8d55-b3b34d17a695
Unpacked files
SH256 hash:
d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1
MD5 hash:
f2b790302bfb0e7f97f36a387eaeb227
SHA1 hash:
6d702fe228a47e01198fee387a2baecacac706f8
Link:
https://www.unpac.me/results/ec82f3d0-6d01-4144-b62e-2c2b93855aed/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5e20fc37dd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe d5e20fc37dd77dd0360fd32446799978048a2c60e036dbfbf5e671333ebd81f1

(this sample)

  
Link
https://tria.ge/250906-vm3gtabp3v/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/26012/

Comments