MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5a5f1d25e05687a214f1305ab6ab307dadbcf997e6f632756b67c9579a5fe0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RustyStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 18 File information Comments

SHA256 hash:	e5a5f1d25e05687a214f1305ab6ab307dadbcf997e6f632756b67c9579a5fe0e
SHA3-384 hash:	ce0ec77ff3aaff824591790756142455bcfd5ff6c20db7c09cc5c10e9b018f05c57855f2d05dc8fa3d7ac67728624040
SHA1 hash:	8a48d4d963d97409c5062b062eaef86aee920c95
MD5 hash:	b3ee8558ad35d1531f5f8458f649f5a9
humanhash:	colorado-august-alanine-charlie
File name:	888.exe
Download:	download sample
Signature	RustyStealer Create hunting rule
File size:	81'190'688 bytes
First seen:	2026-02-15 19:14:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 103 x GuLoader, 64 x DiamondFox)
ssdeep	1572864:3slzi4uN38yUrBSXdkkWyzvLwI/kSEfYiMF1DsBbGebCPk:36zPuNzUCVzvF/kHfYHslnCPk
Threatray	58 similar samples on MalwareBazaar
TLSH	T1430833C46969F54FF39C897CC9A1E27E8BF8A91FF4F04488E7684D56462618162BFF00
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	696a6ee2b2b2c2cc (20 x ValleyRAT, 18 x RedLineStealer, 17 x LummaStealer)
Reporter	petrovic
Tags:	exe RustyStealer

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/a8cc067d-4ea0-4ef7-891e-d61abd5d282a/

Malware family:

n/a

ID:

File name:

888.exe

Verdict:

Malicious activity

Analysis date:

2026-02-15 19:16:04 UTC

Tags:

roning loader anti-evasion rust stealer auto-reg

Link:

https://app.any.run/tasks/167725a3-5598-467e-8ff2-decdd4b673ac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69921b1e0d0369ff9979aec7

Tags:

emotet cobalt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Creating a file in the Program Files subdirectories

Creating a process from a recently created file

Connection attempt

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Launching a process

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Creating a file in the Windows subdirectories

Creating a service

Launching a service

Loading a system driver

Creating a file in the Windows directory

Loading a suspicious library

Running batch commands

Creating a process with a hidden window

Forced system process termination

Deleting a recently created file

Creating a file in the system32 directory

Creating a window

Enabling autorun for a service

Unauthorized injection to a system process

Blocking the Windows Defender launch

Enabling autorun by creating a file

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug installer-heuristic overlay soft-404

Link:

https://www.filescan.io/uploads/69921b10981ff1d38a56b671/reports/e5bb9ea1-53c4-462b-997b-0e8d80153dc3/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/e5a5f1d25e05687a214f1305ab6ab307dadbcf997e6f632756b67c9579a5fe0e

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan.Win32.PoolInject.sba Trojan.DLLhijack.TCP.ServerRequest Trojan.Win32.Agent.sb HEUR:Trojan.Win32.DLLhijack.gen

Link:

https://opentip.kaspersky.com/e5a5f1d25e05687a214f1305ab6ab307dadbcf997e6f632756b67c9579a5fe0e/results?tab=lookup

Score:

54%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/e5a5f1d25e05687a214f1305ab6ab307dadbcf997e6f632756b67c9579a5fe0e

Gathering data

Verdict:

Malicious

Threat:

Family.RONING

Link:

https://tip.neiki.dev/file/e5a5f1d25e05687a214f1305ab6ab307dadbcf997e6f632756b67c9579a5fe0e

Threat name:

Win32.Dropper.Malgent

Status:

Malicious

First seen:

2026-02-15 19:52:00 UTC

AV detection:

19 of 38 (50.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ws7dus6avuhuikpcmc2w2vta7nnxt4zpzxwgj2wwz6jk6nf7yha._file

Verdict:

malicious

Label(s):

roningloader

RustyStealer

26ddeea6d5171984cd054b33cab67970716611064972b44ed7297703d0848df1

RustyStealer

276c62189026b2f7b4a4d0b35c3d37abf2fada50883e48cd4ae757d3f432af11

RustyStealer

3218d686f3a0ba0023a7fa4bbe6de07e2b1c470d16473c09b62429c748a15f71

RustyStealer

5eb2299706493e2a6a3c30c2253ffbf0f644515745035b7f858e5b90d29c5662

RustyStealer

6fbd0154cf0a5604efe36e6c9007890f01fe6fae45593d132f3a0f79b2f0629d

RustyStealer

895cc75f1264314921a5a6487d1b35e489feb63900cb3d60359f17d595adec28

RustyStealer

a4d1844c0a492f4f0095e8f2d0c84e99a6cb2093ce57d750e76f8b3d345d0e7d

RustyStealer

d1ada9c04cec4a022e70528b25e6fcf69d739be1ad980c7ec353a592b0fe9973

RustyStealer

d378fabc30fb2defa95124ca6220497dcdc0f95253afaf0f209810ba68db64a5

RustyStealer

error

RustyStealer

+ 48 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

defense_evasion discovery persistence privilege_escalation spyware stealer trojan

Link:

https://tria.ge/reports/260215-xxtzjaay2g/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Enumerates processes with tasklist

Modifies Security services

Checks installed software on the system

Checks whether UAC is enabled

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Boot or Logon Autostart Execution: Active Setup

Modifies security service

Suspicious use of NtCreateUserProcessOtherParentProcess

Malware family:

Terminator.Spyboy

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e5a5f1d25e05/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	EDR_Killer_EDR_Freeze_Tool Create hunting rule
Author:	Valton Tahiri (cybee.ai)
Description:	Detects EDR-Freeze tool in memory - EDR/AV freezing malware
Reference:	https://www.linkedin.com/in/valton-tahiri/

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Suspicious_Process Create hunting rule
Author:	Security Research Team
Description:	Suspicious process creation

Rule name:	Sus_All_Windows_PE_Malware Create hunting rule
Author:	DiegoAnalytics
Description:	Detects Windows PE malware of all types, avoids non-executables like .html

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

Rule name:	Windows_Trojan_RoningLoader_a4e851ac Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample