MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ce931d621b70d14bdc90b5dcb8dc8cfce60e027f60eb2ff895c60efeb8ffbe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RustyStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 62 File information Comments

SHA256 hash:	1ce931d621b70d14bdc90b5dcb8dc8cfce60e027f60eb2ff895c60efeb8ffbe7
SHA3-384 hash:	69cf29bb9764cc59a8d36ea4e6b3a7a0cabd4b9f6c29569aa3462c88cca6e8b53894f1e6a8edf23ae14e342f6c8e1bba
SHA1 hash:	4c219a04109734d4a50f591c720fa15c2e951912
MD5 hash:	1dea9bcf5ed297e9803b91e6b75fd3f3
humanhash:	nitrogen-india-tennis-carpet
File name:	file
Download:	download sample
Signature	RustyStealer Create hunting rule
File size:	4'859'160 bytes
First seen:	2026-06-20 19:02:00 UTC
Last seen:	2026-06-20 19:03:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a30c78a48c548a65b4846cfd9d8c7138 (2 x RustyStealer)
ssdeep	49152:LiHDazMZq/LXnxsCCGByl9Ah/uN0D8dfOBVgcjKoeW7Zi5u4KW7r+Da3dtUxnkdE:WHSGrQFpgIKscOi91Ehyo
TLSH	T10E264B03E2A541E8C09DC179C30BD637AB76B88A4631B29F1BE81F612F69F506F1D749
TrID	45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.0% (.EXE) Win64 Executable (generic) (6522/11/2) 13.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.6% (.ICL) Windows Icons Library (generic) (2059/9) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	54e64e dropped-by-amadey exe RustyStealer

Bitsight

url: http://91.92.242.236/files-129312398/files/file_15c4fbb0658c3fd8.exe

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_1ce931d621b70d14bdc90b5dcb8dc8cfce60e027f60eb2ff895c60efeb8ffbe7.exe

Verdict:

Malicious activity

Analysis date:

2026-06-20 19:04:16 UTC

Tags:

generic stealer evasion rdp ip-check screenconnect rat rust

Link:

https://app.any.run/tasks/44602a9a-adb0-4ea2-b624-62b9cdcfb655

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/71375/

Detection(s):

YARA.SECUINFRA_SUSP_Powershell_Download_Temp_Rundll_1.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a36e3cb1548daf709f8373d

Tags:

infosteal vmdetect emotet

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm cmd crypto evasive explorer fingerprint keylogger lolbin microsoft_visual_cc overlay packed reconnaissance update

Link:

https://www.filescan.io/uploads/6a36e3ca90632a45f72ed6ab/reports/86df6fa3-a915-4ab6-acaa-48fd5e6299f5/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1ce931d621b70d14bdc90b5dcb8dc8cfce60e027f60eb2ff895c60efeb8ffbe7

Verdict:

Malicious

File Type:

exe x64

Detections:

Trojan.Win64.Agent.sb Trojan.Win32.Qhost Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb Trojan-GameThief.Win32.Worgtop.f Trojan-GameThief.MSIL.Worgtop.c Trojan-GameThief.MSIL.Worgtop.b

Link:

https://opentip.kaspersky.com/1ce931d621b70d14bdc90b5dcb8dc8cfce60e027f60eb2ff895c60efeb8ffbe7/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b16e9c1f-c4a2-4be0-a75a-90a95d694922

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/1ce931d621b70d14bdc90b5dcb8dc8cfce60e027f60eb2ff895c60efeb8ffbe7

Verdict:

inconclusive

YARA:

8 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/1dea9bcf5ed297e9803b91e6b75fd3f3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ce931d621b70d14bdc90b5dcb8dc8cfce60e027f60eb2ff895c60efeb8ffbe7/

Verdict:

Malicious

Threat:

Family.SCREENCONNECT

Link:

https://tip.neiki.dev/file/1ce931d621b70d14bdc90b5dcb8dc8cfce60e027f60eb2ff895c60efeb8ffbe7

Threat name:

Win64.Trojan.LummaStealer

Status:

Malicious

First seen:

2026-06-20 19:03:44 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

14 of 36 (38.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dtutdvrbw4grjpojbno4xdoiz7hgbybh6yhlf74jlrqo724p7ptq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260620-xp4h1ah13t/

Unpacked files

SH256 hash:

1ce931d621b70d14bdc90b5dcb8dc8cfce60e027f60eb2ff895c60efeb8ffbe7

MD5 hash:

1dea9bcf5ed297e9803b91e6b75fd3f3

SHA1 hash:

4c219a04109734d4a50f591c720fa15c2e951912

Detections:

win_agent_tesla_g1

Link:

https://www.unpac.me/results/def9a9d4-44e3-408e-845c-d6af05884dea/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	Check_Dlls Create hunting rule

Rule name:	Check_FindWindowA_iat Create hunting rule

Rule name:	Check_VBox_Guest_Additions Create hunting rule

Rule name:	Check_VmTools Create hunting rule

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	crime_win32_ransom_lockbit_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects LockBit ransomware
Reference:	twitter

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	detect_tiny_vbs Create hunting rule
Author:	daniyyell
Description:	Detects tiny VBS delivery technique

Rule name:	Detect_Zoom_Invite_malware_RAT_C2 Create hunting rule
Author:	daniyyell
Description:	Detects Zoom Invite Call Leading to Malware Hosted in Telegram C2

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	dsc Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	generic_IG_stealer Create hunting rule
Author:	RE4rensics
Description:	Detects stealers that interacts with IG endpoints after stealing IG cookies

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	hunting_generic_win_rat Create hunting rule
Author:	Ajin Deepak, AD2001
Description:	Hunting RATS based on common patterns

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	LucaStealer Create hunting rule
Author:	Chat3ux
Description:	Lucasstealer

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	MAL_Trigon_Dropper Create hunting rule
Author:	jaszzz
Description:	Trigon multi-stage malicious dropper - process injection, keylogging, screenshot capture
Reference:	URL\|trigon

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Suspicious_Process Create hunting rule
Author:	Security Research Team
Description:	Suspicious process creation

Rule name:	SUSP_PowerShell_Download_Temp_Rundll Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detect a Download to %temp% and execution with rundll32.exe

Rule name:	SUSP_Scheduled_Tasks_Create_From_Susp_Dir Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory

Rule name:	Sus_All_Windows_PE_Malware Create hunting rule
Author:	DiegoAnalytics
Description:	Detects Windows PE malware of all types, avoids non-executables like .html

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	test_rule_vldslv Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	WIN_ClickFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:	ClickFix social engineering and malicious PowerShell commands

Rule name:	WIN_SHADOW_UNPACKED Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

exe 1ce931d621b70d14bdc90b5dcb8dc8cfce60e027f60eb2ff895c60efeb8ffbe7

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/71375/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample