MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8fcebf0f68ee6030a3d659d5de3013ce02c219c593c7a7dd88ed98ac139c7a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RustyStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments

SHA256 hash: d8fcebf0f68ee6030a3d659d5de3013ce02c219c593c7a7dd88ed98ac139c7a3
SHA3-384 hash: 3e71ba33e9880a3e50db9d93c03749b828329144ce7c4cfc39197f7147c005f58a7e84f31327d6e9fd77f85bd1329779
SHA1 hash: dd18463fb2594e8d249600263cdd8dd01ca197d6
MD5 hash: 24f9bcafd4190e28b31cddc15c723f3a
humanhash: ohio-four-beer-network
File name:nvsvc.exe
Download: download sample
Signature RustyStealer
File size:83'893'480 bytes
First seen:2026-04-13 17:48:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 37e209056a9135987843f29414ef659a (1 x RustyStealer)
ssdeep 1572864:76FPhcWXAmES8GFtsN6+kJJFaJzXiFUDKHXHXK9JhmDZ9ypcZUquzJHR1BmeF:8hckA9nGFt0tkbF9K9zEXypWmJxmu
TLSH T14B082313F79541ECC06AC174861A5233E772B8890730ABEF7ADC86252F52EE05E7D798
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter smica83
Tags:188-240-81-229 exe RustyStealer signed

Code Signing Certificate

Organisation:NVIDIA Corporation
Issuer:NVIDIA Corporation
Algorithm:sha256WithRSAEncryption
Valid from:2026-04-07T21:32:38Z
Valid to:2036-04-07T21:42:38Z
Serial number: 7a8ba42932324a8549e906bfcac94c36
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 189e69142707dea8e4d71956b26fa2b33e1d231733b200780cb25cd4e6f64d4a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
144
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
nvsvc.exe
Verdict:
Malicious activity
Analysis date:
2026-04-13 17:51:25 UTC
Tags:
anti-evasion antivm rust stealer arch-doc evasion auto-reg auto-startup auto-sch

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Tags:
xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Searching for the window
Reading critical registry keys
Launching a tool to kill processes
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm base64 expand lolbin overlay packed rust signed
Verdict:
Malicious
File Type:
exe x64
Detections:
PDM:Trojan.Win32.Generic NetTool.DiscoGetMe.HTTP.C&C
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.spyw.expl.evad
Score:
100 / 100
Signature
AI detected malicious Powershell script
AI detected suspicious PE digital signature
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Excessive usage of taskkill to terminate processes
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Potential Privilege Escalation using Task Scheduler highest RunLevel
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897599 Sample: nvsvc.exe Startdate: 13/04/2026 Architecture: WINDOWS Score: 100 84 shed.dual-low.part-0012.t-0009.t-msedge.net 2->84 86 part-0012.t-0009.t-msedge.net 2->86 88 6 other IPs or domains 2->88 108 Malicious sample detected (through community Yara rule) 2->108 110 Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet 2->110 112 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->112 114 8 other signatures 2->114 9 nvsvc.exe 40 2->9         started        14 nvsvc.exe 2->14         started        16 nvsvc.exe 2->16         started        signatures3 process4 dnsIp5 90 api.ipify.org 172.67.74.152, 443, 49698 CLOUDFLARENETUS United States 9->90 92 188.240.81.229, 1184 CIMEC-ASformerInstitutuldeMemorieCulturalaRO Romania 9->92 66 C:\Users\user\AppData\Roaming\...\nvsvc.exe, PE32+ 9->66 dropped 68 C:\ProgramData\Microsoft\...\nvsvc.exe, PE32+ 9->68 dropped 70 C:\Users\user\...\nvsvc.exe:Zone.Identifier, ASCII 9->70 dropped 72 4 other files (1 malicious) 9->72 dropped 122 Suspicious powershell command line found 9->122 124 Bypasses PowerShell execution policy 9->124 126 Drops PE files to the startup folder 9->126 18 cmd.exe 1 9->18         started        21 cmd.exe 9->21         started        23 cmd.exe 9->23         started        31 31 other processes 9->31 94 104.26.13.205, 443, 49701 CLOUDFLARENETUS United States 14->94 128 Tries to harvest and steal browser information (history, passwords, etc) 14->128 130 Excessive usage of taskkill to terminate processes 14->130 25 powershell.exe 14->25         started        27 powershell.exe 14->27         started        29 cmd.exe 14->29         started        34 15 other processes 14->34 file6 signatures7 process8 file9 96 Uses cmd line tools excessively to alter registry or file data 18->96 98 Uses schtasks.exe or at.exe to add and modify task schedules 18->98 100 Uses ipconfig to lookup or modify the Windows network settings 18->100 102 Potential Privilege Escalation using Task Scheduler highest RunLevel 18->102 41 2 other processes 18->41 36 reg.exe 21->36         started        39 conhost.exe 21->39         started        43 2 other processes 23->43 45 2 other processes 25->45 48 2 other processes 27->48 50 2 other processes 29->50 82 C:\Users\user\AppData\...\t112liek.cmdline, Unicode 31->82 dropped 104 Suspicious powershell command line found 31->104 106 Found suspicious powershell code related to unpacking or dynamic code loading 31->106 52 49 other processes 31->52 54 18 other processes 34->54 signatures10 process11 file12 116 Creates autostart registry keys with suspicious names 36->116 118 Creates multiple autostart registry keys 36->118 74 C:\Users\user\AppData\Local\...\1p13qpfu.dll, PE32 45->74 dropped 56 cvtres.exe 45->56         started        76 C:\Users\user\AppData\Local\...\1fb14z2s.dll, PE32 48->76 dropped 58 cvtres.exe 48->58         started        60 WmiPrvSE.exe 50->60         started        78 C:\Users\user\AppData\Local\...\t112liek.dll, PE32 52->78 dropped 80 C:\Users\user\AppData\Local\...\5hnfkcjo.dll, PE32 52->80 dropped 120 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 52->120 62 cvtres.exe 1 52->62         started        64 cvtres.exe 52->64         started        signatures13 process14
Gathering data
Threat name:
Win64.Trojan.Qwexlafiba
Status:
Malicious
First seen:
2026-04-11 10:25:05 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion execution persistence spyware stealer
Behaviour
Gathers network information
Gathers system information
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Launches sc.exe
Hide Artifacts: Hidden Files and Directories
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Drops startup file
Reads user/profile data of web browsers
Drops file in Drivers directory
Looks for VMWare drivers on disk
Enumerates VirtualBox DLL files
Looks for VirtualBox drivers on disk
Looks for VirtualBox executables on disk
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments