MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RustyStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527
SHA3-384 hash:	a7d543407817803e0a451edd4c3fd12fba5e4c4fd7fd5a3728b1eaf9138a97847d520ccf8f780bac49d14d09ff3eef26
SHA1 hash:	d34550ebc2bee47c708c8e048eb78881468e6bca
MD5 hash:	6a93e618e467ed13f98819172e24fffa
humanhash:	yellow-alabama-violet-xray
File name:	e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527
Download:	download sample
Signature	RustyStealer Create hunting rule
File size:	1'642'496 bytes
First seen:	2022-12-20 10:14:54 UTC
Last seen:	2022-12-20 11:32:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3548cf154854e23da2693c0c59187266 (2 x RustyStealer, 1 x AgentTesla)
ssdeep	24576:KBz37bSK2rgyik2VZGiOYnSadiUm6M551SaJkqFYUe3xHj96khwkyITnoXlIEvXX:Kx6Rvik2VUKnzhQ4akWXUy
TLSH	T156759E09FD83AA6AC5BF1970206FB376EA3D881405158E73D7E88D70BA1F3216D9871D
TrID	43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	petikvx
Tags:	Agenda exe Ransomware RustyStealer

Intelligence

File Origin

# of uploads :

# of downloads :

688

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

qilin-aka-agenda-ransomware.exe

Verdict:

No threats detected

Analysis date:

2022-10-12 08:04:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/26211c45-4bac-403c-876a-d19d88cab404

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/348317/

Detection(s):

SecuriteInfo.com.Variant.Babar.38057.7900.6935.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1f25f761-bb88-49a3-b968-290bdc83c421

Result

Threat name:

Qilin

Detection:

malicious

Classification:

rans.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1088640

Signature

Antivirus / Scanner detection for submitted sample

Deletes shadow drive data (may be related to ransomware)

Found Tor onion address

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Qilin Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527/

Threat name:

Win32.Ransomware.QilinCrypt

Status:

Malicious

First seen:

2022-09-15 10:00:01 UTC

File Type:

PE (Exe)

AV detection:

25 of 41 (60.98%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ef5vl27tsuqaez3ngprrzagevrbjaljwkolj2zxublxhcgceutq._file

Verdict:

malicious

Result

Malware family:

agenda

Score:

10/10

Tags:

family:agenda

Link:

https://tria.ge/reports/221220-maax2ahc44/

Unpacked files

SH256 hash:

e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527

MD5 hash:

6a93e618e467ed13f98819172e24fffa

SHA1 hash:

d34550ebc2bee47c708c8e048eb78881468e6bca

Detections:

win_agendacrypt_auto

Link:

https://www.unpac.me/results/aa43545a-fc54-4b8a-8f64-7e8cb1e7c818/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

Rule name:	INDICATOR_SUSPICOUS_EXE_References_VEEAM Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing many references to VEEAM. Observed in ransomware

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	win_agendacrypt_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.agendacrypt.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/348317/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample