MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f1b6bb4c46a91ad98231aa09d8fa31e4443be1afc5c45f5fda62659ac3d5764. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AurotunStealer


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f1b6bb4c46a91ad98231aa09d8fa31e4443be1afc5c45f5fda62659ac3d5764
SHA3-384 hash: 86638d9c2d86749dc9335ee36ed093fd832fdf3b01cb231773f981d9493b2bf4bf455679ac4d9c7848bfa6645dda09ed
SHA1 hash: f4019a2aed018d70fac0ce3d4a03b63628a4cc4b
MD5 hash: 11f28ad6c800d24a4276946c2d9cf7cf
humanhash: floor-pennsylvania-princess-massachusetts
File name:11f28ad6c800d24a4276946c2d9cf7cf.exe
Download: download sample
Signature AurotunStealer
Create hunting rule
File size:17'855'851 bytes
First seen:2025-09-27 18:05:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 393216:ZinASS+VmJ4fvNenKLE2i2m4+++6eBj9jw63iN0R:8nASo4dFLD6rfBfyNM
Threatray 44 similar samples on MalwareBazaar
TLSH T1F307337FF228643ED4AE0A3249739220A97BBB61655BCC5B47F4091CCF661301F3EA56
TrID 60.0% (.EXE) Inno Setup installer (107240/4/30)
23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.8% (.EXE) Win64 Executable (generic) (10522/11/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:AurotunStealer exe


Avatar
abuse_ch
AurotunStealer C2:
46.173.214.102:42873

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.173.214.102:42873 https://threatfox.abuse.ch/ioc/1602842/

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1f1b6bb4c46a91ad98231aa09d8fa31e4443be1afc5c45f5fda62659ac3d5764.exe
Verdict:
Malicious activity
Analysis date:
2025-09-27 18:06:14 UTC
Tags:
hijackloader loader python auto-startup aurotun stealer
Link:
https://app.any.run/tasks/0e0444bb-9269-439a-9b9d-cfb1a85106b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29289/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d8279291dd51f6514f27e7
Tags:
backdoor dropper spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a service
Launching a service
Loading a system driver
DNS request
Connection attempt
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Enabling autorun for a service
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 embarcadero_delphi expand explorer fingerprint infostealer innosetup installer keylogger lolbin overlay packed zero
Link:
https://www.filescan.io/uploads/68d8278a74e5a2898996136a/reports/9029a214-5b07-4ac7-8637-1477b52d3ac8/overview
Verdict:
Malicious
Labled as:
Generik.MVSFJNM trojan
Link:
https://www.hybrid-analysis.com/sample/1f1b6bb4c46a91ad98231aa09d8fa31e4443be1afc5c45f5fda62659ac3d5764
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-23T03:11:00Z UTC
Last seen:
2025-09-23T03:11:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Inject.sb Trojan.Win32.Delf.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Win32.Coins.sb Trojan.Win32.Penguish.fsz Trojan.Win32.Agent.sb NetTool.cURLGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/1f1b6bb4c46a91ad98231aa09d8fa31e4443be1afc5c45f5fda62659ac3d5764/results?tab=lookup
Result
Threat name:
Remcos, Aurotun Stealer, HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1785239
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Aurotun Stealer
Yara detected HijackLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1785239 Sample: LM8XogzXLe.exe Startdate: 27/09/2025 Architecture: WINDOWS Score: 100 88 brpt.xyz 2->88 90 blatsprt.xyz 2->90 92 5 other IPs or domains 2->92 104 Suricata IDS alerts for network traffic 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 112 11 other signatures 2->112 11 LM8XogzXLe.exe 2 2->11         started        14 Tech_Uti16.exe 5 2->14         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 signatures3 110 Performs DNS queries to domains with low reputation 90->110 process4 dnsIp5 82 C:\Users\user\AppData\...\LM8XogzXLe.tmp, PE32 11->82 dropped 22 LM8XogzXLe.tmp 3 18 11->22         started        84 C:\Users\user\AppData\Local\...\1004400.tmp, PE32+ 14->84 dropped 134 Modifies the context of a thread in another process (thread injection) 14->134 136 Maps a DLL or memory area into another process 14->136 25 AtomicR.exe 14->25         started        27 AFUWINGUIx64.EXE 14->27         started        29 Chime.exe 14->29         started        138 Changes security center settings (notifications, updates, antivirus, firewall) 17->138 31 MpCmdRun.exe 1 17->31         started        94 127.0.0.1 unknown unknown 19->94 file6 signatures7 process8 file9 66 C:\Users\user\AppData\Local\...\ssleay32.dll, PE32+ 22->66 dropped 68 C:\Users\user\AppData\Local\...\libeay32.dll, PE32+ 22->68 dropped 70 C:\Users\user\AppData\...\dynsimpleipc.dll, PE32+ 22->70 dropped 72 2 other malicious files 22->72 dropped 33 Tech_Uti16.exe 7 22->33         started        37 conhost.exe 31->37         started        process10 file11 58 C:\ProgramData\httpalt_ewd\ssleay32.dll, PE32+ 33->58 dropped 60 C:\ProgramData\httpalt_ewd\libeay32.dll, PE32+ 33->60 dropped 62 C:\ProgramData\httpalt_ewd\dynsimpleipc.dll, PE32+ 33->62 dropped 64 C:\ProgramData\httpalt_ewd\Tech_Uti16.exe, PE32+ 33->64 dropped 102 Found direct / indirect Syscall (likely to bypass EDR) 33->102 39 Tech_Uti16.exe 9 33->39         started        signatures12 process13 file14 74 C:\Users\user\AtomicR.exe, PE32+ 39->74 dropped 76 C:\Users\user\AppData\Local\...DC6393.tmp, PE32+ 39->76 dropped 78 C:\ProgramData\...\AFUWINGUIx64.EXE, PE32+ 39->78 dropped 80 C:\ProgramData\httpalt_ewd\Chime.exe, PE32 39->80 dropped 116 Drops PE files to the user root directory 39->116 118 Modifies the context of a thread in another process (thread injection) 39->118 120 Found hidden mapped module (file has been removed from disk) 39->120 122 2 other signatures 39->122 43 AtomicR.exe 1 39->43         started        48 Chime.exe 2 39->48         started        50 AFUWINGUIx64.EXE 39->50         started        signatures15 process16 dnsIp17 98 sprtsolutions.com 46.173.214.102, 42873, 49720 GARANT-PARK-INTERNETRU Russian Federation 43->98 100 api.ipify.org 172.67.74.152, 443, 49723, 49726 CLOUDFLARENETUS United States 43->100 86 C:\Users\user\...\Hpigubz0k6EFN4hgnUZW, PE32+ 43->86 dropped 124 Tries to harvest and steal browser information (history, passwords, etc) 43->124 126 Writes to foreign memory regions 43->126 128 Allocates memory in foreign processes 43->128 132 8 other signatures 43->132 52 cmd.exe 4 43->52         started        56 chrome.exe 43->56         started        130 Switches to a custom stack to bypass stack traces 48->130 file18 signatures19 process20 dnsIp21 96 brpt.xyz 141.8.199.108, 23581, 49729, 49730 SPRINTHOSTRU Russian Federation 52->96 114 Detected Remcos RAT 52->114 signatures22
Score:
47%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/1f1b6bb4c46a91ad98231aa09d8fa31e4443be1afc5c45f5fda62659ac3d5764
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/11f28ad6c800d24a4276946c2d9cf7cf
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1f1b6bb4c46a91ad98231aa09d8fa31e4443be1afc5c45f5fda62659ac3d5764/
Verdict:
Malicious
Threat:
Family.AUROTUN
Link:
https://tip.neiki.dev/file/1f1b6bb4c46a91ad98231aa09d8fa31e4443be1afc5c45f5fda62659ac3d5764
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-23 08:02:33 UTC
File Type:
PE (Exe)
Extracted files:
282
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4nwxngenki23gbddkqj3d5ddzcehpq27roel5p5uytftlb5k5sa._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
aurotunstealer
Create hunting rule
Similar samples:
029205ea9c916cf5ead87b16e4d62e2f0887db0318ed9a9ddef8912bb3df4ecf
AurotunStealer
5955c621a801b3e3eb1cae8bbbbfa9c271ce90a66ba4da7f076274a49222273b
AurotunStealer
a8ac40da7f243063370948e3a9d1c2f6d9ff5574d313631808b57b1040e99f7b
AurotunStealer
ead0485d49c84f5b6458f821f5581cccf7cb93081392c9209ccbe4b5e694524c
AurotunStealer
error
AurotunStealer
+ 34 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:aurotun family:hijackloader campaign:site4 discovery loader stealer
Link:
https://tria.ge/reports/250927-wpnl4sw1gw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Aurotun
Aurotun family
Detects Aurotun stealer
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/44b270f7-0e42-4c24-82c2-677ff949a8a0
Unpacked files
SH256 hash:
1f1b6bb4c46a91ad98231aa09d8fa31e4443be1afc5c45f5fda62659ac3d5764
MD5 hash:
11f28ad6c800d24a4276946c2d9cf7cf
SHA1 hash:
f4019a2aed018d70fac0ce3d4a03b63628a4cc4b
Link:
https://www.unpac.me/results/a348a040-93f5-434f-ac41-97e8c903f789/
SH256 hash:
a682769312ec5462cc6ee123f19bae4a3505d285fc12fd96604076212fdf69ce
MD5 hash:
b669b527644d240fe7058deb0e3dcb69
SHA1 hash:
d99b62a2a4d213e86b354acf6b1e88d2f41fcdda
Link:
https://www.unpac.me/results/a348a040-93f5-434f-ac41-97e8c903f789/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f1b6bb4c46a91ad98231aa09d8fa31e4443be1afc5c45f5fda62659ac3d5764

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:skip20_sqllang_hook
Create hunting rule
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29289/

Comments