MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d75cf24a30202d36d98f7201d9a6d3df4a8a49577b15153e00a46ebab8ae9ea3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RustyStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	d75cf24a30202d36d98f7201d9a6d3df4a8a49577b15153e00a46ebab8ae9ea3
SHA3-384 hash:	603f19de108d01c81fce3e022cb54707204d6cfc4c6b836f8ee0dec2f805149bc9bfb4ce787505a075042f9c1c824d96
SHA1 hash:	f8c534be0d1ccb305343b8dea624bf65d1f97731
MD5 hash:	46de4ff3e38cb5d2486ebdf4bd31159d
humanhash:	east-green-nine-hawaii
File name:	YomiraV86.exe
Download:	download sample
Signature	RustyStealer Create hunting rule
File size:	45'895'533 bytes
First seen:	2025-04-09 07:39:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6b80d32805805a919994b377cc2bd678 (1 x RustyStealer)
ssdeep	786432:Tkw56kVTdooaKwhOVDO2ZZWuW38mf2Qtb51ypipdt60J8YU7Fexaypo3+N1:PAkBomVa2ZgubQUyM+z
TLSH	T140A701613A0B9DD2C09E80F91F1B7F906D50E3B1331632A5EEE152FCAE434A4A5DDD1A
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	cyberkaida
Tags:	discord exe RustyStealer stealer streamer vtuber

Intelligence

File Origin

# of uploads :

# of downloads :

507

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Yomira.7z

Verdict:

No threats detected

Analysis date:

2025-04-08 12:43:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/57254776-3684-47fc-8a76-368c6de8cfdd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67f519faa695a0cd1faceb55

Tags:

autorun spawn hype sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Searching for the window

Changing a file

DNS request

Connection attempt

Сreating synchronization primitives

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Forced shutdown of a browser

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug fingerprint mingw overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/67f624212d430c849e0eb6d3/reports/d8b8f7e3-6695-40c0-b0d7-470aafddf581/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/d75cf24a30202d36d98f7201d9a6d3df4a8a49577b15153e00a46ebab8ae9ea3

Result

Threat name:

n/a

Detection:

suspicious

Classification:

evad

Score:

22 / 100

Link:

https://www.joesandbox.com/analysis/1659651

Signature

Found direct / indirect Syscall (likely to bypass EDR)

Behaviour

Behavior Graph:

n/a

Score:

72%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d75cf24a30202d36d98f7201d9a6d3df4a8a49577b15153e00a46ebab8ae9ea3

Gathering data

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2025-04-08 12:43:36 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=25opesrqeawtnwmpoia5tjwt35fiuskxpmkrkpqaurxlvofot2rq._file

Verdict:

malicious

Label(s):

admintool_wstunnel

Similar samples:

error

RustyStealer

Result

Malware family:

n/a

Score:

9/10

Tags:

credential_access defense_evasion discovery spyware stealer

Link:

https://tria.ge/reports/250409-jg2sjstmt8/

Behaviour

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops startup file

Reads user/profile data of web browsers

Looks for VMWare drivers on disk

Uses browser remote debugging

Enumerates VirtualBox DLL files

Looks for VirtualBox drivers on disk

Looks for VirtualBox executables on disk

Verdict:

Suspicious

Tags:

external_ip_lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/d00e5fa3-645a-413c-9a5a-707df9262bfc

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d75cf24a30202d36d98f7201d9a6d3df4a8a49577b15153e00a46ebab8ae9ea3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RustyStealer

rar 733029305753592b4d6488e8317c90f994fb52f023021b402411d046777373b1

RustyStealer

rar 486e3c2045e02f73a72d299e1c9042963661f0a5aa1c90913bd5b99b2517138e

RustyStealer

exe d75cf24a30202d36d98f7201d9a6d3df4a8a49577b15153e00a46ebab8ae9ea3

(this sample)

any.run

https://app.any.run/tasks/5c272c58-1c4b-4d9e-ac21-30421d6818d4

Link

https://urlscan.io/result/0196196e-3874-703c-96eb-d146b26d214b/

Dropped by

SHA256 486e3c2045e02f73a72d299e1c9042963661f0a5aa1c90913bd5b99b2517138e

Dropped by

SHA256 733029305753592b4d6488e8317c90f994fb52f023021b402411d046777373b1

Dropped by

MD5 ec66b50a961f5ed8d964e9e15d098cff

Dropped by

MD5 ac874bbf991e94e49c2ddd838ce2c979

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_VIRTUAL_SIZE	Optimize binary virtual size	medium

Reviews

ID	Capabilities	Evidence
FFI_METHODS	Can perform system-level operations via FFI	_ZN4core3ptr47drop_in_place$LT$std::ffi::os_str::OsString$GT$17h119ab0e493a53de9E _ZN4core3ptr99drop_in_place$LT$core::result::Result$LT$alloc::string::String$C$std::ffi::os_str::OsString$GT$$GT$17h5714ccc6556c7727E _ZN4core3ptr47drop_in_place$LT$std::ffi::os_str::OsString$GT$17h7025bda48cdbbf16E _ZN4core3ptr47drop_in_place$LT$std::ffi::os_str::OsString$GT$17h7025bda48cdbbf16E.llvm.9522433207739460346 _ZN4core3ptr114drop_in_place$LT$core::result::Result$LT$std::ffi::os_str::OsString$C$native_windows_gui::errors::NwgError$GT$$GT$17h350e7a8478e70742E _ZN4core3ptr70drop_in_place$LT$alloc::vec::Vec$LT$std::ffi::os_str::OsString$GT$$GT$17h4f3420bf9aaf16b2E _ZN4core3ptr125drop_in_place$LT$$LP$std::sys::pal::windows::process::EnvKey$C$core::option::Option$LT$std::ffi::os_str::OsString$GT$$RP$$GT$17hcc8b707416edf72bE _ZN4core3ptr137drop_in_place$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$17hfbad5da0b73e6e6bE _ZN4core3ptr137drop_in_place$LT$alloc::collections::btree::map::IntoIter$LT$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$17h784860ef7f8b505bE _ZN4core3ptr165drop_in_place$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::pal::windows::process::EnvKey$C$core::option::Option$LT$std::ffi::os_str::OsString$GT$$GT$$GT$17hd8a89dff745a42a8E _ZN4core3ptr165drop_in_place$LT$core::option::Option$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$$GT$17h850101eb63d42e02E _ZN4core3ptr47drop_in_place$LT$std::ffi::os_str::OsString$GT$17h22d3b58c26df89e1E _ZN4core3ptr70drop_in_place$LT$alloc::vec::Vec$LT$std::ffi::os_str::OsString$GT$$GT$17he412b31beebb0bc3E _ZN4core3ptr84drop_in_place$LT$$LP$std::ffi::os_str::OsString$C$std::ffi::os_str::OsString$RP$$GT$17h8c69f1e7700455e6E _ZN4core3ptr97drop_in_place$LT$$LP$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$RP$$GT$17h5c9ffa86a7bc2767E _ZN81_$LT$std::ffi::os_str::OsString$u20$as$u20$std::os::windows::ffi::OsStringExt$GT$9from_wide17h203e3962da86bf7fE _ZN63_$LT$std::ffi::os_str::OsString$u20$as$u20$core::fmt::Write$GT$9write_str17h8141007801bff817E _ZN3std3ffi6os_str95_$LT$impl$u20$core::convert::TryFrom$LT$$RF$std::ffi::os_str::OsStr$GT$$u20$for$u20$$RF$str$GT$8try_from17h528e6a2dcb08aa5fE _ZN62_$LT$std::ffi::os_str::Display$u20$as$u20$core::fmt::Debug$GT$3fmt17h4dc5fe13cf99e3cfE _ZN64_$LT$std::ffi::os_str::Display$u20$as$u20$core::fmt::Display$GT$3fmt17h811856d0cfe1a76bE _ZN113_$LT$std::sys::pal::windows::process::EnvKey$u20$as$u20$core::convert::From$LT$std::ffi::os_str::OsString$GT$$GT$4from17h4c0fc73e151c932bE _ZN3std3sys3pal7windows7process123_$LT$impl$u20$core::convert::From$LT$std::sys::pal::windows::process::EnvKey$GT$$u20$for$u20$std::ffi::os_str::OsString$GT$4from17he9fc3e73fcc156caE _ZN114_$LT$std::sys::pal::windows::process::EnvKey$u20$as$u20$core::convert::From$LT$$RF$std::ffi::os_str::OsStr$GT$$GT$4from17h0f37164e4e2b0e5bE _ZN111_$LT$std::sys::pal::windows::process::EnvKey$u20$as$u20$core::convert::AsRef$LT$std::ffi::os_str::OsStr$GT$$GT$6as_ref17h96646100aedd6aa5E _ZN60_$LT$std::ffi::os_str::OsStr$u20$as$u20$core::fmt::Debug$GT$3fmt17h8b8f76442a007a50E _ZN63_$LT$std::ffi::os_str::OsString$u20$as$u20$core::fmt::Debug$GT$3fmt17hacb140f73b0ea23cE
FILE_IO_READ	Can Read Files	_ZN54_$LT$std::fs::Metadata$u20$as$u20$core::fmt::Debug$GT$3fmt17h38923b1b07140faaE _ZN75_$LT$std::fs::ReadDir$u20$as$u20$core::iter::traits::iterator::Iterator$GT$4next17h4c6874f680e3fea0E
FILE_IO_WRITE	Can Create and Remove Files	_ZN79_$LT$alloc::vec::Vec$LT$u8$GT$$u20$as$u20$std::io::copy::BufferedWriterSpec$GT$11buffer_size17hcbeb0bc37e17174fE _ZN54_$LT$std::fs::DirEntry$u20$as$u20$core::fmt::Debug$GT$3fmt17h45d556366f403c75E _ZN54_$LT$std::fs::FileType$u20$as$u20$core::fmt::Debug$GT$3fmt17hee1bb2391b606d32E _ZN57_$LT$std::fs::Permissions$u20$as$u20$core::fmt::Debug$GT$3fmt17h5f39beff15b9cfdfE
NET_METHODS	Uses Network to send and receive data	_ZN104_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::convert::TryFrom$LT$$LP$$RF$str$C$u16$RP$$GT$$GT$8try_from17h8db00f9388dfa5bdE _ZN90_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::convert::TryFrom$LT$$RF$str$GT$$GT$8try_from17h6689aa2b0e49db4dE _ZN68_$LT$std::sys_common::net::TcpStream$u20$as$u20$core::fmt::Debug$GT$3fmt17hcd3567c16aa6ef34E _ZN70_$LT$std::sys_common::net::TcpListener$u20$as$u20$core::fmt::Debug$GT$3fmt17hf3092c759f7fb7cbE _ZN68_$LT$std::sys_common::net::UdpSocket$u20$as$u20$core::fmt::Debug$GT$3fmt17h28292856884a474cE _ZN91_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::iter::traits::iterator::Iterator$GT$4next17hfc864fd160b3e27cE _ZN74_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::ops::drop::Drop$GT$4drop17h266881e36c726061E _ZN3std10sys_common3net154_$LT$impl$u20$std::sys_common::IntoInner$LT$$LP$std::sys_common::net::SocketAddrCRepr$C$i32$RP$$GT$$u20$for$u20$$RF$core::net::socket_addr::SocketAddr$GT$10into_inner17h334cefb90073cbceE

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample