Malicious
Unsigned MSI installer showing process injection, LSASS access, direct-IP C2 and multiple YARA detections consistent with RustyStealer.
ac86ca5150d64af0b5…9e920733c1The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Zero engine detections normally favour a safe verdict, but the sandbox recorded three offensive MITRE techniques and direct-IP C2 traffic. Six YARA rules fired, including debugger checks and obfuscation patterns. Multiple independent researcher comments explicitly label the sample RustyStealer and link it to MalwareBazaar. The file is unsigned and drops an executable plus persistence artefacts. These signals together produce a malicious classification despite the engine silence.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.malicious=0 and engines.tier1Malicious=0 across 62 reporting engines
externalIntel.yaraify.ruleCount=6 with rules DebuggerCheck__API, Sus_Obf_Enc_Spoof_Hide_PE, upxHook
behaviour.offensiveTechniques includes T1055, T1543.003, T1548 and contactedIps 150.171.22.17, 93.186.135.80
communityComments contain explicit RustyStealer family annotations and MalwareBazaar links
prevalence.classification=common_old with 9477 submissions
- Zero engine detections
- Common_old prevalence with thousands of submissions
- No malicious dropped children
- Process injection into svchost.exe
- Direct IP contact bypassing DNS reputation
- LSASS memory access observed
- Multiple YARA rules for obfuscation and debugger evasion
- Researcher consensus on RustyStealer family
Treat the file as malicious and block or remove it; the behavioural and YARA evidence outweighs the clean engine results.
DebuggerCheck API corroborated by 2 sources
- 6 YARA rulesDebuggerCheck__API, NET, Sus_Obf_Enc_Spoof_Hide_PE
- MT AI Enginerustystealer
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 150.171.22.17
- 93.186.135.80
- http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
- http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0c4084f3-1bed-4246-b8ed-206ccbe60e3c?P1=1754072141&P2=404&P3=2&P4=YWHjm+6z7MOPIf597feSbOWCurKGWP+6G49g1m6lr14e2C3l9ofyr2ijjOBmKm0wt3dn2HQDKYk2JYN23ofq2w==
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
- C:\Windows\Temp\~DFB2F0C3C9E7239F29.TMP
- C:\Windows\Temp\~DF2FC5AD4ACEC0370D.TMP
- C:\Windows\Temp\~DF9EFF7642AABBB1BD.TMP
- C:\Windows\Temp\~DF1648FCF70DA30D77.TMP
- C:\Config.Msi\CMPEA31.tmp
- C:\Config.Msi
- C:\Windows\Installer\e467.msi
- C:\Config.Msi\CMPEE96.tmp
- C:\Config.Msi\e466.rbs
- Global\_MSIExecute
- Local\MSCTF.Asm.MutexDefault1
- \Sessions\1\BaseNamedObjects\Global\_MSIExecute
- \BaseNamedObjects\Local\SM0:1616:304:WilStaging_02
- \BaseNamedObjects\Local\SM0:1616:120:WilError_03
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- c5ae2be40fc540c96371…141ec5Never scannednever seen before
- 9c595a347c0157e31ac9…d325d1Never scannednever seen before
- 2026f1aa8b8edbeca986…5f2f59Never scannednever seen before
- a428891ad555debdf739…95249aNever scannednever seen before
- c3daa73d6bca245f683d…ec90b6Never scannednever seen before
- 10d3274b67d28275461e…9c3e2eNever scannednever seen before
- 3ea9329a7824a9f979a4…503841Never scannednever seen before
- 71354da209a1fad06a3f…a45a48Never scannednever seen before
- ee562340edef4b0bda92…193fafNever scannednever seen before
- 9bd19eb5493a6268b1bc…db7652Never scannednever seen before
1 corroborating signal from researcher-curated sources
- DebuggerCheck__API
- NETby malware-lu
- Sus_Obf_Enc_Spoof_Hide_PEby XiAnzhengCheck for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
- upxHookby @r3dbU7zDetect artifacts from 'upxHook' - modification of UPX packer
- maldoc_find_kernel32_base_method_1by Didier Stevens (https://DidierStevens.com)
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
- DebuggerCheck__API
- NET
- Sus_Obf_Enc_Spoof_Hide_PE
- upxHook
- maldoc_find_kernel32_base_method_1
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 2 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence150.171.22.17 · 93.186.135.80
0 detections across 74 engines
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- LiquidLauncher_0.5.0_x64_en-US.msi
- Size
- 9.16 MB
- MIME type
- (unknown)
- Detected type
- Windows Installer
- SHA-256
- ac86ca5150d64af0b55e22f65adac3cfd13aac88868085fcea3c019e920733c1
- MD5
- 10afd2525f22a135856a24161501160d
- SHA-1
- 61bb7449f2bb21525f6facc740d9176dec3f5107
- First seen (VT)
- 5/20/2025, 11:50:12 PM
- Last analysis (VT)
- 7/3/2026, 8:07:10 AM
- First scan (MalwareTips)
- 7/3/2026, 11:26:55 AM
- Last scan (MalwareTips)
- 7/3/2026, 11:26:55 AM
- Community reputation
- -4flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.