🦀💮 Rust Malware Sample Gallery

Hokusai - Crab and Flowers

About

The intention of this page is to collect and highlight malware written in the Rust programming language, so that malware reverse engineers have a collection of Rust samples to practice reversing on. Malware written in Rust is rapidly becoming a significant problem, especially with the advent of high-impact ransomware families such as BlackCat. However, the knowledge in the malware reverse engineering community on how to reverse Rust binaries is still very poor.

I have collected at least one publicly available sample for each family. Definitive identification of malware families is hard, and I am not personally familiar with every malware family here, so I have tried to stick to sample hashes that are directly mentioned in the linked writeups. For each sample mentioned, a download link for that sample on either Malware Bazaar or MalShare is provided - neither of these sites require an account to download samples.

This is not meant to be a comprehensive effort to track the evolution of these malware families, or to collect every writeup about a malware family. I have tried to collect writeups that are technical, or that highlight something new or interesting about the family. The focus is also on malware that has been observed in the wild, so red teaming tools written in Rust won't be listed here, unless they have been seen in the wild by an independent party.

If you would like to contribute or see something that should be changed, please submit a Pull Request on this GitHub repository. Alternatively, you can Contact me directly.

Agenda Ransomware

Aliases

Qilin, AgendaCrypt

Writeups

• 2022-12-16 - Trend Micro - Agenda Ransomware Uses Rust to Target More Vital Industries

Malpedia

• win.agendacrypt

Samples

SHA-256 Hash	Download Link
e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527	MalwareBazaar

BlackCat Ransomware

Aliases

ALPHV, Noberus

Writeups

• 2022-01-26 - Varonis - BlackCat Ransomware (ALPHV)

Malpedia

• win.blackcat
• elf.blackcat

Samples

SHA-256 Hash	Download Link
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83	MalwareBazaar

BlackCat Ransomware (Sphynx)

Aliases

ALPHV Sphynx

Writeups

• 2023-05-30 - IBM X-Force - BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

Malpedia

• win.blackcat
• elf.blackcat

Samples

SHA-256 Hash	Download Link
c0e70e69d8f7432383fa37528cd42db764b73dd08eb75d72229c2a0d02e538cc	MalwareBazaar

CargoBay

Writeups

• 2022-11-29 - IBM X-Force - CargoBay BlackHat Backdoor Analysis Report (IRIS-14738) (mostly paywalled)
• 2023-02-17 - BushidoToken - Tweet thread regarding Rust malware tentatively identified as CargoBay 1 2 3 4 5

Malpedia

• win.cargobay

Samples

SHA-256 Hash	Download Link
a963a8a8e1583081daa43638744eef6c410d1a410c11eb9413da15a26e802de5	MalwareBazaar

Notes

It's difficult to definitively identify CargoBay samples, as public information about it is limited. According to the publicly available contents of the 2022-11-29 IBM X-Force report, the source code of CargoBay is based on the source code from the book Black Hat Rust: https://github.com/skerkour/black-hat-rust

Convuster

Writeups

• 2021-03-18 - Kaspersky - Convuster: macOS adware now in Rust

Malpedia

• osx.convuster

Samples

SHA-256 Hash	Download Link
947ae8f075fd0d1e5be0341b922c0173f0c5cfd771314ebe220207f3ed53466a	MalShare

Notes

This is technically not malware - it is adware.

CosmicRust

Writeups

• 2024-01-04 - Greg Lesnewich - 100DaysofYARA - CosmicRust

Samples

SHA-256 Hash	Download Link
3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a	MalShare

DeltaStealer

Writeups

• 2023-05-19 - Trend Micro - Rust-Based Info Stealers Abuse GitHub Codespaces

Malpedia

• win.deltastealer

Samples

SHA-256 Hash	Download Link
c92a7425959121ff49970c53b78e714b9e450e4b214ac85deb878d0bedf82a70	MalwareBazaar

ExeWho2

Writeups

• 2023-12-04 - Alex Perotti - ExeWho2 - A Tool from the Wild

Samples

SHA-256 Hash	Download Link
a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d	MalwareBazaar

Notes

Source code was found with the ExeWho2 binary; it is available at https://github.com/cyb3rkitties/exewho2

FickerStealer

Writeups

• 2020-10-27 - 3xp0rtblog - Tweet on FickerStealer
• 2021-07-19 - CyberArk - FickerStealer: A New Rust Player in the Market

Malpedia

• win.fickerstealer

Samples

SHA-256 Hash	Download Link
dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c	MalwareBazaar

See also all samples tagged with the FickerStealer signature on Malware Bazaar.

Freeze.rs

Writeups

• 2023-08-09 - Fortinet - Attackers Distribute Malware via Freeze.rs And SYK Crypter
• 2023-09-07 - Gi7w0rm - Uncovering DDGroup — A long-time threat actor

Samples

SHA-256 Hash	Download Link
afd38445e5249ac5ac66addd18c20d271f41c3ffb056ca49c8c02f9fecb4afcb	MalShare

Notes

Source code (for the tool that generates the actual payloads) available at https://github.com/optiv/Freeze.rs

Hive Ransomware (Rust variant)

Writeups

• 2022-07-05 - Microsoft - Hive ransomware gets upgrades in Rust

Malpedia

• win.hive

Samples

SHA-256 Hash	Download Link
f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3	MalwareBazaar

Hunters International Ransomware

Writeups

• 2023-11-09 - Bitdefender - Hive Ransomware's Offspring: Hunters International Takes the Stage

Samples

SHA-256 Hash	Download Link
c4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e	MalwareBazaar

JLORAT

Writeups

• 2023-04-34 - Kaspersky - Tomiris called, they want their Turla malware back > Tomiris's polyglot toolset > JLORAT

Malpedia

• win.jlorat

Samples

SHA-256 Hash	Download Link
69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29	MalwareBazaar

Luca Stealer

Writeups

• 2022-08-18 - BlackBerry - Luca Stealer Targets Password Managers and Cryptocurrency Wallets
• Binary Defense - Digging through Rust to find Gold: Extracting Secrets from Rust Malware

Malpedia

• win.lucastealer

Samples

SHA-256 Hash	Download Link
99331a27afa84009e140880a8739d96f97baa1676d67ba7a3278fe61bfb79022	MalShare

Notes

Source code available at https://web.archive.org/web/20220725203750/https://github.com/luca364/rust-stealer/archive/refs/heads/master.zip

Luna Ransomware

Writeups

• 2022-08-30 - Elastic - LUNA Ransomware Attack Pattern Analysis
• 2023-01-13 - Nikhil "Kaido" Hegde - Getting Rusty and Stringy with Luna Ransomware

Malpedia

• elf.luna

Samples

SHA-256 Hash	Download Link
1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51	MalShare

Nokoyawa Ransomware (Rust variant)

Writeups

• 2022-12-20 - Zscaler - Nokoyawa Ransomware: Rust or Bust

Malpedia

• win.nokoyawa

Samples

SHA-256 Hash	Download Link
7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6	MalwareBazaar

P2PInfect

Writeups

• 2023-07-19 - Palo Alto Networks - P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
• 2023-07-31 - Cado Security - Cado Security Labs Encounter Novel Malware, Redis P2Pinfect

Malpedia

• elf.p2pinfect

Samples

SHA-256 Hash	Download Link
3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f	MalwareBazaar

Notes

This sample (3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f) isn't one of the hashes mentioned in the linked reports; however, due to the nature of this malware, there are a lot of unique samples out there, and I was able to find this one after some hunting.

RansomExx2

Aliases

Defray, Defray777

Writeups

• 2022-11-22 - IBM X-Force - RansomExx upgrades to rust

Malpedia

• elf.ransomexx

Samples

SHA-256 Hash	Download Link
a7ea1e33c548182b8e56e32b547afb4b384ebe257ca0672dbf72569a54408c5c	MalShare

Realst Stealer

Writeups

• 2023-07-06 - Iamdeadlyz - Fake Blockchain Games Deliver RedLine Stealer & Realst Stealer - A New macOS Infostealer Malware

Samples

SHA-256 Hash	Download Link
2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2	MalwareBazaar

See also all samples tagged with the RealstStealer tag on Malware Bazaar.

Rust-based loader for Rilide

Aliases

BRAINSTORM

Writeups

• 2023-04-04 - Trustwave - Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies
• 2023-05-01 - Mandiant - A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors

Samples

SHA-256 Hash	Download Link
0f11aeecbde1f355d26c9d406dad80cb0ae8536aea31fdddaf915d4afd434f3f	MalwareBazaar

Rust-based stealer used in RusticWeb campaign

Writeups

• 2023-12-21 - Seqrite - Operation RusticWeb targets Indian Govt: From Rust-based malware to Web-service exfiltration

Malpedia

• win.unidentified_112

Samples

SHA-256 Hash	Download Link
db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32	MalShare

RustBucket

Writeups

• 2023-04-21 - Jamf - BlueNoroff APT group targets macOS with ‘RustBucket’ Malware
• 2023-07-13 - Elastic - The DPRK strikes using a new variant of RUSTBUCKET

Malpedia

• osx.rustbucket
• win.rustbucket

Samples

SHA-256 Hash	Download Link
9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747	MalShare
de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500	MalwareBazaar

Rustic Crypter

Writeups

• 2022-05-19 - IBM X-Force - ITG23 crypters highlight cooperation between cyber criminal groups

Samples

SHA-256 Hash	Download Link
45aa8efb6b1a9a0e0091040bb99a7c37d346aaf306fa4e31e9d5d9f0fef56676	MalwareBazaar

RustyBuer

Writeups

• 2021-05-03 - Proofpoint - New Variant of Buer Loader Written in Rust

Malpedia

• win.buer

Samples

SHA-256 Hash	Download Link
3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac	MalwareBazaar

RustyFlag

Writeups

• 2023-09-14 - Deep Instinct - Operation Rusty Flag – A Malicious Campaign Against Azerbaijanian Targets

Malpedia

• win.unidentified_110

Samples

SHA-256 Hash	Download Link
5327308fee51fc6bb95996c4185c4cfcbac580b747d79363c7cf66505f3ff6db	MalwareBazaar

SPICA

Writeups

• 2024-01-18 - Google TAG - Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware

Samples

SHA-256 Hash	Download Link
37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9	MalwareBazaar

SysJoker (Rust variant)

Aliases

RustDown

Writeups

• 2023-11-23 - Check Point - Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker
• 2023-11-27 - Intezer - WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel

Malpedia

• win.sysjoker

Samples

SHA-256 Hash	Download Link
d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72	MalShare

Zeon Ransomware (Rust variant)

Writeups

• 2022-06-22 - SentinelOne - From the Front Lines | 3 New and Emerging Ransomware Threats Striking Businesses in 2022

Samples

SHA-256 Hash	Download Link
fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590	MalShare

Notes

There is a lack of good open reporting on Zeon Ransomware, so I will clarify a few potential points of confusion in the notes here.

There are samples which have been identified as Zeon Ransomware, but which are written with Python rather than Rust. These samples are packaged via PyInstaller, and obfuscated with PyArmor. For example, c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a (MalShare) is a PyInstaller file which drops a nearly identical ransom note as the highlighted Rust sample above, fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590 The ransom note of both samples say "All of your files are currently encrypted by ZEON strain", and link to the same Tor site (http[:]//zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd[.]onion), for victims to begin the payment process.

There is reporting which states that Zeon Ransomware is connected to Royal Ransomware, such as CISA's advisory on Royal Ransomware. However, I have not been able to find any reporting that states Royal Ransomware is written in Rust, nor any Rust samples of Royal Ransomware.