File name:

rust-stealer-xss.exe

Full analysis: https://app.any.run/tasks/b7ea36f0-c67d-431f-b496-3b8b83a2d718
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 24, 2025, 16:54:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rust
antivm
rustystealer
stealer
evasion
telegram
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

2333F2D1961432033191517BA48698CB

SHA1:

9CC4424726683CED86D3A3AF9328E8F06B945F8A

SHA256:

FE663840CC6C0259F31698B0DA55E0A62D0AD3926FF960CFF710668B5921981E

SSDEEP:

98304:bqcJaDcBrATKj6AVF2FePmbPKqezX+C1bZEeUChVuOmxNJ8dv7ISNKIq5CxTW63z:bY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RUSTYSTEALER has been detected (YARA)

      • rust-stealer-xss.exe (PID: 6620)

    • Actions looks like stealing of personal data

      • rust-stealer-xss.exe (PID: 6620)

    • Steals credentials from Web Browsers

      • rust-stealer-xss.exe (PID: 6620)

  • SUSPICIOUS

    • Uses WMIC.EXE to obtain CPU information

      • rust-stealer-xss.exe (PID: 6620)

    • There is functionality for VM detection VMWare (YARA)

      • rust-stealer-xss.exe (PID: 6620)

    • Starts POWERSHELL.EXE for commands execution

      • rust-stealer-xss.exe (PID: 6620)

    • Uses WMIC.EXE to obtain local storage devices information

      • rust-stealer-xss.exe (PID: 6620)

    • There is functionality for VM detection VirtualBox (YARA)

      • rust-stealer-xss.exe (PID: 6620)

    • Uses WMIC.EXE to obtain computer system information

      • rust-stealer-xss.exe (PID: 6620)

    • The process checks if it is being run in the virtual environment

      • rust-stealer-xss.exe (PID: 6620)

    • Checks for external IP

      • svchost.exe (PID: 2196)

    • The process bypasses the loading of PowerShell profile settings

      • rust-stealer-xss.exe (PID: 6620)

    • The process hide an interactive prompt from the user

      • rust-stealer-xss.exe (PID: 6620)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • rust-stealer-xss.exe (PID: 6620)

    • The process hides Powershell's copyright startup banner

      • rust-stealer-xss.exe (PID: 6620)

    • Get information on the list of running processes

      • rust-stealer-xss.exe (PID: 6620)

    • There is functionality for taking screenshot (YARA)

      • rust-stealer-xss.exe (PID: 6620)

  • INFO

    • Reads the computer name

      • rust-stealer-xss.exe (PID: 6620)

    • Checks supported languages

      • rust-stealer-xss.exe (PID: 6620)

    • Application based on Rust

      • rust-stealer-xss.exe (PID: 6620)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7408)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5304)
      • WMIC.exe (PID: 8140)
      • WMIC.exe (PID: 7940)
      • WMIC.exe (PID: 8052)

    • Checks proxy server information

      • rust-stealer-xss.exe (PID: 6620)
      • slui.exe (PID: 7428)

    • Create files in a temporary directory

      • rust-stealer-xss.exe (PID: 6620)

    • Creates files or folders in the user directory

      • rust-stealer-xss.exe (PID: 6620)

    • Reads the software policy settings

      • rust-stealer-xss.exe (PID: 6620)
      • slui.exe (PID: 7520)
      • slui.exe (PID: 7428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:24 16:53:17+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 3181568
InitializedDataSize: 1326592
UninitializedDataSize: -
EntryPoint: 0x2fc9c6
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
19
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RUSTYSTEALER rust-stealer-xss.exe wmic.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs svchost.exe powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1276\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5304"wmic" cpu get MaxClockSpeedC:\Windows\SysWOW64\wbem\WMIC.exerust-stealer-xss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6372"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exerust-stealer-xss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6620"C:\Users\admin\AppData\Local\Temp\rust-stealer-xss.exe" C:\Users\admin\AppData\Local\Temp\rust-stealer-xss.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rust-stealer-xss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
6640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7320"tasklist" /FO CSVC:\Windows\SysWOW64\tasklist.exerust-stealer-xss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7408"powershell" -Command "Get-Process | Sort-Object -Property Id | Select-Object -Property MainWindowTitle | Where-Object {$_.MainWindowTitle -ne ''} | Format-Table -Property MainWindowTitle -WrapWrap"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exerust-stealer-xss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7416\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 627
Read events
10 627
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
7408powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0tf2pljx.ple.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6620rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\FdSbZOMSLzyPMgGICAPQyE3T2ovEBi\sensitive-files.zipcompressed
MD5:F495250D272262761E270C4DD2053CD5
SHA256:2552AF8A232F157EC303942CE3BBC3A44461CBAF218C278644F13B04F05EDF8D
6620rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\CreditCardDatabinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
6620rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\FdSbZOMSLzyPMgGICAPQyE3T2ovEBi\user_info.txttext
MD5:BF51F62D78A4EC23F06B9D87C1092E3B
SHA256:BB053275050DDF0AC3220A1EAA55568CA388F2E5CEB9D2FEDBBEC8C81B016E43
6620rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\out.zipcompressed
MD5:76D7EE55BAD29B40E3A7AF9237F68A6C
SHA256:DA241163494C95C03BCAF13AF1B72204131FDC686963DF40740D94688D31E38F
7408powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fh31bfsv.dnj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6620rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\sensitive-files.zipcompressed
MD5:F495250D272262761E270C4DD2053CD5
SHA256:2552AF8A232F157EC303942CE3BBC3A44461CBAF218C278644F13B04F05EDF8D
6620rust-stealer-xss.exeC:\Users\admin\AppData\Local\Temp\FdSbZOMSLzyPMgGICAPQyE3T2ovEBi\pc_info.txttext
MD5:417A9B83D014F7C759E39BEA4C5DEA96
SHA256:35D311BBDBE4E7BAFC8D7C128BA002502540153EDFC2C9449463D9C198DA32BE
7408powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:60EEC996519FA88D761D65FAA59C9E5E
SHA256:9E1D06F2CE44BEF04ECE841D0E41FA1A37B900112181CB89AEBFF7AB5742BE97
6372powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jh4zkv5z.b0e.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
31
DNS requests
23
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1164
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6620
rust-stealer-xss.exe
GET
200
195.201.57.90:80
http://195.201.57.90:80/?output=json
unknown
unknown
6620
rust-stealer-xss.exe
GET
200
195.201.57.90:80
http://195.201.57.90:80/?output=json
unknown
unknown
1164
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.35.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4380
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
95.101.35.8:80
crl.microsoft.com
Orange
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 95.101.35.8
  • 95.101.35.35
whitelisted
www.microsoft.com
  • 2.16.253.202
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.131
  • 20.190.160.128
  • 20.190.160.20
  • 20.190.160.4
  • 20.190.160.22
  • 40.126.32.133
  • 20.190.160.66
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
microsoft.com
  • 13.107.246.59
whitelisted
amazon.com
  • 52.94.236.248
  • 205.251.242.103
  • 54.239.28.85
whitelisted
cloudflare.com
  • 104.16.132.229
  • 104.16.133.229
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
6620
rust-stealer-xss.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
6620
rust-stealer-xss.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rust-stealer-xss.exe