MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e14ef27a32eaca0ca88fe17e65ad0a88a0fd47d2ba7aef196b3f2c4b48aa06e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RustyStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e14ef27a32eaca0ca88fe17e65ad0a88a0fd47d2ba7aef196b3f2c4b48aa06e
SHA3-384 hash: c68cc3d36bd5bd6a7c88cbfc4ee1586162b2b7361d31234522d2ab90ceb72e4fa00531f305e8b24a19af34f7a8998b50
SHA1 hash: ad7dea9b32a2dc19c1b3f6ae8d2cec62199ca321
MD5 hash: cf100c69d1de551da6707dac64a0dd93
humanhash: beer-kansas-zulu-twenty
File name:payload.exe
Download: download sample
Signature RustyStealer
Create hunting rule
File size:5'261'312 bytes
First seen:2026-04-14 21:19:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d437bc71e95142f3bc4991d118f776f (1 x RustyStealer)
ssdeep 49152:TfoAON6pZNmsxZ77pqFYZqiNx/3r9FGdkDyb26KrYF+9jFOOuAObDFlqilZG09cw:Dn78efDNxJrNg7XG09T+0y
TLSH T190364B21BA5A95ADC15AC474C3478A729A7174CF0B31B9FF40C492783F6AAF42E3C359
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:77-91-97-172 CoinMiner dropped-by-Stealc exe RustyStealer


Avatar
iamaachum
https://github.com/cblootah/test/raw/refs/heads/main/payload.exe

XMRig IOCs:
77.91.97.172:3333
http://77.91.97.172/xmrig.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
x86182401ea38e5dda9c4263af4d90e35eb7032db25c5ac40a622050214cc8faa.exe
Verdict:
Malicious activity
Analysis date:
2026-04-12 12:36:21 UTC
Tags:
stealer stealc github loader telegram evasion auto-sch auto-sch-xml auto-reg xmrig amsi-bypass rust
Link:
https://app.any.run/tasks/e41394b0-d7b7-4eff-8b9f-e4d925aa62cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61607/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69deaf72f68adfe10039e005
Tags:
ransomware autorun shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug coinminer mikey rust
Link:
https://www.filescan.io/uploads/69deaf6b799d5bf325fe70e4/reports/1082ff2f-8c1b-4212-a38c-bb94ae8d1c22/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/4e14ef27a32eaca0ca88fe17e65ad0a88a0fd47d2ba7aef196b3f2c4b48aa06e
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-10T15:35:00Z UTC
Last seen:
2026-04-16T06:42:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Agentb.sb BSS:Trojan.Win32.Generic HEUR:Trojan.Win32.Agentb.gen HEUR:HackTool.Multi.AmsiETWPatch.gen
Link:
https://opentip.kaspersky.com/4e14ef27a32eaca0ca88fe17e65ad0a88a0fd47d2ba7aef196b3f2c4b48aa06e/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ee3c77df-4e19-4902-bc51-691aa80a8b40
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1898351
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Disables Windows Defender (via service or powershell)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Query firmware table information (likely to detect VMs)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected PersistenceViaHiddenTask
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1898351 Sample: payload.exe Startdate: 14/04/2026 Architecture: WINDOWS Score: 100 60 api.telegram.org 2->60 62 release-assets.githubusercontent.com 2->62 64 3 other IPs or domains 2->64 72 Suricata IDS alerts for network traffic 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for dropped file 2->76 80 9 other signatures 2->80 8 payload.exe 1 18 2->8         started        13 payload.exe 2->13         started        15 payload.exe 2->15         started        17 2 other processes 2->17 signatures3 78 Uses the Telegram API (likely for C&C communication) 60->78 process4 dnsIp5 66 77.91.97.172, 3333, 49699, 49704 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->66 68 ip-api.com 208.95.112.1, 49693, 80 TUT-ASUS United States 8->68 70 4 other IPs or domains 8->70 52 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 8->52 dropped 54 C:\Users\user\AppData\Roaming\...\payload.exe, PE32+ 8->54 dropped 56 C:\Users\user\AppData\Roaming\...\RCX8A76.tmp, PE32+ 8->56 dropped 58 5 other malicious files 8->58 dropped 92 Suspicious powershell command line found 8->92 94 Found strings related to Crypto-Mining 8->94 96 Uses cmd line tools excessively to alter registry or file data 8->96 100 6 other signatures 8->100 19 svchost.exe 8->19         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        34 36 other processes 8->34 98 Multi AV Scanner detection for dropped file 13->98 26 conhost.exe 13->26         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        32 conhost.exe 17->32         started        file6 signatures7 process8 signatures9 82 System process connects to network (likely due to code injection or exploit) 19->82 84 Multi AV Scanner detection for dropped file 19->84 86 Query firmware table information (likely to detect VMs) 19->86 88 Uses cmd line tools excessively to alter registry or file data 22->88 36 conhost.exe 22->36         started        38 reg.exe 1 22->38         started        40 conhost.exe 24->40         started        42 reg.exe 1 24->42         started        90 Loading BitLocker PowerShell Module 34->90 44 conhost.exe 34->44         started        46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        50 50 other processes 34->50 process10
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4e14ef27a32eaca0ca88fe17e65ad0a88a0fd47d2ba7aef196b3f2c4b48aa06e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e14ef27a32eaca0ca88fe17e65ad0a88a0fd47d2ba7aef196b3f2c4b48aa06e/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/4e14ef27a32eaca0ca88fe17e65ad0a88a0fd47d2ba7aef196b3f2c4b48aa06e
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-11 02:18:30 UTC
File Type:
PE+ (Exe)
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyko6j5df2wkbsui7yl6mwwqvcfa7vd5fot254mwwpzmjnekubxa._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig execution miner persistence
Link:
https://tria.ge/reports/260414-z6hnzabw2p/
Behaviour
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Family: xmrig
XMRig Miner payload
Unpacked files
SH256 hash:
4e14ef27a32eaca0ca88fe17e65ad0a88a0fd47d2ba7aef196b3f2c4b48aa06e
MD5 hash:
cf100c69d1de551da6707dac64a0dd93
SHA1 hash:
ad7dea9b32a2dc19c1b3f6ae8d2cec62199ca321
Link:
https://www.unpac.me/results/7b447bfe-cc1d-41d9-9360-aa4acba189ae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e14ef27a32eaca0ca88fe17e65ad0a88a0fd47d2ba7aef196b3f2c4b48aa06e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 7d3442ea825ef12fec37ce5f2fa386c148780aa1288c42cae408449f0dd573d0

Stealc

Executable exe fb176719a4819edb677357bdefdc2dd270330395b040933344b50ead500a6a7b

RustyStealer

Executable exe 4e14ef27a32eaca0ca88fe17e65ad0a88a0fd47d2ba7aef196b3f2c4b48aa06e

(this sample)

  
Link
https://tria.ge/260414-zz7phsbv8n/behavioral2
  
Dropped by
SHA256 fb176719a4819edb677357bdefdc2dd270330395b040933344b50ead500a6a7b
  
Delivery method
Distributed via web download
  
Dropped by
MD5 bed72d0f3df3bc2f29af241d591655cd
Cape
Cape
https://www.capesandbox.com/analysis/61607/
  
URLhaus
https://urlhaus.abuse.ch/url/3822458/

Comments