File name:

rust-stealer-xss.exe

Full analysis: https://app.any.run/tasks/b7ea36f0-c67d-431f-b496-3b8b83a2d718
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 24, 2025, 16:54:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rust
antivm
rustystealer
stealer
evasion
telegram
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

2333F2D1961432033191517BA48698CB

SHA1:

9CC4424726683CED86D3A3AF9328E8F06B945F8A

SHA256:

FE663840CC6C0259F31698B0DA55E0A62D0AD3926FF960CFF710668B5921981E

SSDEEP:

98304:bqcJaDcBrATKj6AVF2FePmbPKqezX+C1bZEeUChVuOmxNJ8dv7ISNKIq5CxTW63z:bY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RUSTYSTEALER has been detected (YARA)

      • rust-stealer-xss.exe (PID: 6620)

    • Steals credentials from Web Browsers

      • rust-stealer-xss.exe (PID: 6620)

    • Actions looks like stealing of personal data

      • rust-stealer-xss.exe (PID: 6620)

  • SUSPICIOUS

    • Get information on the list of running processes

      • rust-stealer-xss.exe (PID: 6620)

    • There is functionality for VM detection VMWare (YARA)

      • rust-stealer-xss.exe (PID: 6620)

    • There is functionality for VM detection VirtualBox (YARA)

      • rust-stealer-xss.exe (PID: 6620)

    • Uses WMIC.EXE to obtain CPU information

      • rust-stealer-xss.exe (PID: 6620)

    • There is functionality for taking screenshot (YARA)

      • rust-stealer-xss.exe (PID: 6620)

    • Starts POWERSHELL.EXE for commands execution

      • rust-stealer-xss.exe (PID: 6620)

    • Uses WMIC.EXE to obtain local storage devices information

      • rust-stealer-xss.exe (PID: 6620)

    • Uses WMIC.EXE to obtain computer system information

      • rust-stealer-xss.exe (PID: 6620)

    • The process hides Powershell's copyright startup banner

      • rust-stealer-xss.exe (PID: 6620)

    • The process bypasses the loading of PowerShell profile settings

      • rust-stealer-xss.exe (PID: 6620)

    • The process hide an interactive prompt from the user

      • rust-stealer-xss.exe (PID: 6620)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • rust-stealer-xss.exe (PID: 6620)

    • The process checks if it is being run in the virtual environment

      • rust-stealer-xss.exe (PID: 6620)

    • Checks for external IP

      • svchost.exe (PID: 2196)

  • INFO

    • Checks supported languages

      • rust-stealer-xss.exe (PID: 6620)

    • Reads the computer name

      • rust-stealer-xss.exe (PID: 6620)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5304)
      • WMIC.exe (PID: 7940)
      • WMIC.exe (PID: 8052)
      • WMIC.exe (PID: 8140)

    • Application based on Rust

      • rust-stealer-xss.exe (PID: 6620)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7408)

    • Creates files or folders in the user directory

      • rust-stealer-xss.exe (PID: 6620)

    • Reads the software policy settings

      • rust-stealer-xss.exe (PID: 6620)
      • slui.exe (PID: 7520)
      • slui.exe (PID: 7428)

    • Checks proxy server information

      • slui.exe (PID: 7428)
      • rust-stealer-xss.exe (PID: 6620)

    • Create files in a temporary directory

      • rust-stealer-xss.exe (PID: 6620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:24 16:53:17+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 3181568
InitializedDataSize: 1326592
UninitializedDataSize: -
EntryPoint: 0x2fc9c6
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
19
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RUSTYSTEALER rust-stealer-xss.exe wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs svchost.exe powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1276\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5304"wmic" cpu get MaxClockSpeedC:\Windows\SysWOW64\wbem\WMIC.exerust-stealer-xss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6372"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exerust-stealer-xss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6620"C:\Users\admin\AppData\Local\Temp\rust-stealer-xss.exe" C:\Users\admin\AppData\Local\Temp\rust-stealer-xss.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rust-stealer-xss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
6640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7320"tasklist" /FO CSVC:\Windows\SysWOW64\tasklist.exerust-stealer-xss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7408"powershell" -Command "Get-Process | Sort-Object -Property Id | Select-Object -Property MainWindowTitle | Where-Object {$_.MainWindowTitle -ne ''} | Format-Table -Property MainWindowTitle -WrapWrap"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exerust-stealer-xss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7416\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 627
Read events
10 627
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
6620rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\CreditCardDatabinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
6620rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\Cookiesbinary
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
6620rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\Historybinary
MD5:FDDE63730E15DD2E18C540BA52B6A945
SHA256:40740EAABD14FC0E08D3B5EE340C1E1B372E158F61EF58AEED1EE4B3A3F4492E
6372powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nu5vnym0.gvx.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6620rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\Login Databinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
7408powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:60EEC996519FA88D761D65FAA59C9E5E
SHA256:9E1D06F2CE44BEF04ECE841D0E41FA1A37B900112181CB89AEBFF7AB5742BE97
7408powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0tf2pljx.ple.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6620rust-stealer-xss.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6372powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jh4zkv5z.b0e.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6620rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\FdSbZOMSLzyPMgGICAPQyE3T2ovEBi\user_info.txttext
MD5:BF51F62D78A4EC23F06B9D87C1092E3B
SHA256:BB053275050DDF0AC3220A1EAA55568CA388F2E5CEB9D2FEDBBEC8C81B016E43
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
31
DNS requests
23
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
95.101.35.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1164
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1164
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6620
rust-stealer-xss.exe
GET
200
195.201.57.90:80
http://195.201.57.90:80/?output=json
unknown
unknown
6620
rust-stealer-xss.exe
GET
200
195.201.57.90:80
http://195.201.57.90:80/?output=json
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4380
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
95.101.35.8:80
crl.microsoft.com
Orange
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 95.101.35.8
  • 95.101.35.35
whitelisted
www.microsoft.com
  • 2.16.253.202
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.131
  • 20.190.160.128
  • 20.190.160.20
  • 20.190.160.4
  • 20.190.160.22
  • 40.126.32.133
  • 20.190.160.66
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
microsoft.com
  • 13.107.246.59
whitelisted
amazon.com
  • 52.94.236.248
  • 205.251.242.103
  • 54.239.28.85
whitelisted
cloudflare.com
  • 104.16.132.229
  • 104.16.133.229
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
6620
rust-stealer-xss.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
6620
rust-stealer-xss.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rust-stealer-xss.exe