MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3e2c77b8c1442e1cbc084b8ee9abcf3f1f888f312b58970a1663012466aa1f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3e2c77b8c1442e1cbc084b8ee9abcf3f1f888f312b58970a1663012466aa1f8
SHA3-384 hash: 93ba1190ae60b9c65b2caa517a0c1634fd5b175df89d4a68715e7f323205c4c07fbf29ac67ceebe383168f475cb2049d
SHA1 hash: e1b33c8b87b13f1d3677b60446a48246d2c41260
MD5 hash: 6a099366018b563d0fbdb790209afe9f
humanhash: oranges-aspen-connecticut-mockingbird
File name:Aura.exe
Download: download sample
Signature Vidar
Create hunting rule
File size:2'780'064 bytes
First seen:2025-11-23 15:28:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 69 x LummaStealer, 61 x Rhadamanthys)
ssdeep 49152:Xs7uXhCFZDzMzCtjSfEyrzJmUqJVXzlP+5W6mfkAb+KKh+FScC:WuMlzdjSfFrP2DlW5W6msAb+KRFS3
TLSH T1CED5338B25F80275F87127B181F5414259313CF26E2552EF2A89F03A2B737846A7BF5B
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter burger
Tags:exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Aura.exe
Verdict:
Malicious activity
Analysis date:
2025-11-23 15:27:01 UTC
Tags:
autoit lumma stealer xor-url generic
Link:
https://app.any.run/tasks/35b7a83f-bbc3-40bd-addc-988cb3e20a90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41145/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69232832a59c70c97d69feca
Tags:
autorun autoit
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context CAB explorer installer installer installer-heuristic invalid-signature lolbin microsoft_visual_cc overlay packed rundll32 runonce sc sfx signed
Link:
https://www.filescan.io/uploads/6923284ef96b58f0dc80e11a/reports/e7447de1-87ad-4dd7-b4e8-f79ee0b2cd78/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/c3e2c77b8c1442e1cbc084b8ee9abcf3f1f888f312b58970a1663012466aa1f8
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-22T21:47:00Z UTC
Last seen:
2025-11-23T10:04:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Autoit.acxxt BSS:Trojan.Win32.Generic Backdoor.Agent.UDP.C&C Trojan.Win32.Autoit.sb
Link:
https://opentip.kaspersky.com/c3e2c77b8c1442e1cbc084b8ee9abcf3f1f888f312b58970a1663012466aa1f8/results?tab=lookup
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1819558
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1819558 Sample: Aura.exe Startdate: 23/11/2025 Architecture: WINDOWS Score: 100 56 mZamxBqQGwKrpPVzAKn.mZamxBqQGwKrpPVzAKn 2->56 58 www.google.com 2->58 60 2 other IPs or domains 2->60 72 Suricata IDS alerts for network traffic 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Yara detected Vidar stealer 2->76 78 3 other signatures 2->78 12 Aura.exe 1 26 2->12         started        15 CloudPilot.exe 2->15         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 54 C:\Users\user\AppData\Local\Temp\...\King, DOS 12->54 dropped 20 cmd.exe 1 12->20         started        23 sc.exe 1 12->23         started        98 Hijacks the control flow in another process 15->98 100 Modifies the context of a thread in another process (thread injection) 15->100 102 Injects a PE file into a foreign processes 15->102 104 Found direct / indirect Syscall (likely to bypass EDR) 15->104 25 CloudPilot.exe 15->25         started        signatures6 process7 signatures8 88 Drops PE files with a suspicious file extension 20->88 27 cmd.exe 4 20->27         started        30 conhost.exe 20->30         started        32 conhost.exe 23->32         started        process9 file10 52 C:\Users\user\AppData\Local\...\Wanting.com, PE32+ 27->52 dropped 34 Wanting.com 6 27->34         started        38 findstr.exe 1 27->38         started        process11 file12 50 C:\Users\user\AppData\...\CloudPilot.exe, PE32+ 34->50 dropped 80 Hijacks the control flow in another process 34->80 82 Contains functionality to inject threads in other processes 34->82 84 Modifies the context of a thread in another process (thread injection) 34->84 86 4 other signatures 34->86 40 Wanting.com 16 34->40         started        signatures13 process14 dnsIp15 62 82.25.63.150, 443, 49726, 49727 NTLGB United Kingdom 40->62 90 Tries to harvest and steal browser information (history, passwords, etc) 40->90 92 Writes to foreign memory regions 40->92 94 Allocates memory in foreign processes 40->94 96 2 other signatures 40->96 44 chrome.exe 1 40->44         started        signatures16 process17 dnsIp18 64 192.168.2.4, 138, 443, 49309 unknown unknown 44->64 47 chrome.exe 44->47         started        process19 dnsIp20 66 plus.l.google.com 142.250.105.113, 443, 49748 GOOGLEUS United States 47->66 68 play.google.com 172.253.124.138, 443, 49751 GOOGLEUS United States 47->68 70 3 other IPs or domains 47->70
Score:
72%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c3e2c77b8c1442e1cbc084b8ee9abcf3f1f888f312b58970a1663012466aa1f8
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/6a099366018b563d0fbdb790209afe9f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3e2c77b8c1442e1cbc084b8ee9abcf3f1f888f312b58970a1663012466aa1f8/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/c3e2c77b8c1442e1cbc084b8ee9abcf3f1f888f312b58970a1663012466aa1f8
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yprmo64mcrbods6aqs4o5gv46py7rchtck2ys4fbmyybertkuh4a._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery persistence spyware stealer
Link:
https://tria.ge/reports/251123-sw1y8sxqat/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Detects Vidar Stealer
Vidar
Vidar family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b050ac82-1740-4501-b4cc-bc753fd951e5
Unpacked files
SH256 hash:
c3e2c77b8c1442e1cbc084b8ee9abcf3f1f888f312b58970a1663012466aa1f8
MD5 hash:
6a099366018b563d0fbdb790209afe9f
SHA1 hash:
e1b33c8b87b13f1d3677b60446a48246d2c41260
Link:
https://www.unpac.me/results/ceee6399-8408-47d1-83c3-40340934d65c/
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c3e2c77b8c14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3e2c77b8c1442e1cbc084b8ee9abcf3f1f888f312b58970a1663012466aa1f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41145/

Comments