MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e00cd20d10209b8f2744523ebeb5932bdbf969dfee9ceee9aa659c0b10e3369f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RustyStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 34 File information Comments

SHA256 hash: e00cd20d10209b8f2744523ebeb5932bdbf969dfee9ceee9aa659c0b10e3369f
SHA3-384 hash: 5aa7927651ce20a718b81d17229ddf24ed33d62b9947c7b645cdd8dd31840ad9bed63c05c112c9e7a3f2903a3645bc74
SHA1 hash: 3526b193e70eb708c42c8393550a0db7a74d142d
MD5 hash: a725c940cf743957fe8d061dee5e3509
humanhash: blossom-romeo-triple-alanine
File name:file
Download: download sample
Signature RustyStealer
File size:2'826'752 bytes
First seen:2026-06-26 20:52:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 55efd29c0f070c5d716b6d37ecb2ab4f (1 x RustyStealer)
ssdeep 49152:pCIWqK45TFK9ficehbhOliFDXyz2N6CStMOAY6dKynsbU5Y7kAEnSL5r1u:SqK+09fhehsmCzl3zAY6AqWXE85h
TLSH T1DCD53360110FE7EBDA12AC30678607E5931416CF1BCD601A3DAAB6F4A9736F22376746
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:b dropped-by-gcleaner exe MIX7.file RustyStealer UPX


Avatar
Bitsight
url: http://158.94.209.95/service
File size (compressed) :2'826'752 bytes
File size (de-compressed) :6'486'016 bytes
Format:win64/pe
Unpacked file: 39fec39c77cc6e2ba2c37b15485d7b7e6ec51f7aea047865adc414f52422529e

Intelligence


File Origin
# of uploads :
1
# of downloads :
154
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-06-26 20:55:54 UTC
Tags:
stealer upx ip-check

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Tags:
xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug crypto crypto keylogger mingw overlay packed packed packed reconnaissance upx xor-pe xor-url
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-26T18:13:00Z UTC
Last seen:
2026-06-27T20:09:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.PowerShell.Generic Trojan.Win64.Agentb.sb PDM:Trojan.Win32.Generic Trojan.Win64.Agentb.lkbn
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Threat name:
Win64.Malware.Heuristic
Status:
Malicious
First seen:
2026-06-26 20:53:49 UTC
File Type:
PE+ (Exe)
Extracted files:
4
AV detection:
20 of 38 (52.63%)
Threat level:
  2/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion execution persistence spyware stealer trojan upx
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Drops file in Windows directory
Hide Artifacts: Ignore Process Interrupts
Drops file in System32 directory
UPX packed file
Reads user/profile data of web browsers
Windows security modification
Command and Scripting Interpreter: PowerShell
Sets file to hidden
Windows security bypass
Unpacked files
SH256 hash:
e00cd20d10209b8f2744523ebeb5932bdbf969dfee9ceee9aa659c0b10e3369f
MD5 hash:
a725c940cf743957fe8d061dee5e3509
SHA1 hash:
3526b193e70eb708c42c8393550a0db7a74d142d
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC
Author:ditekSHen
Description:Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Rule name:pe_detect_tls_callbacks
Rule name:ProgramLanguage_Rust
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rustyloader_mem_loose
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Process
Author:Security Research Team
Description:Suspicious process creation
Rule name:SUSP_Scheduled_Tasks_Create_From_Susp_Dir
Author:SECUINFRA Falcon Team
Description:Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory
Rule name:SUSP_XORed_MSDOS_Stub_Message
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:test_rule_vldslv
Rule name:upxHook
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Author:k3nr9
Rule name:vbaproject_bin
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:vmdetect
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WIN_FileFix_Detection
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RustyStealer

Executable exe e00cd20d10209b8f2744523ebeb5932bdbf969dfee9ceee9aa659c0b10e3369f

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download

Comments