MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21063fbe8f41527df5613ed1fec86e81f25e7649ecee571ec24115f8d40e0273. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AuroraStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21063fbe8f41527df5613ed1fec86e81f25e7649ecee571ec24115f8d40e0273
SHA3-384 hash: 310342d28823668f655c3ac85b0dd8df25da79efa622203fd94ffe6d3771c43bddda4ffce77af6b52865c336e2bd61f7
SHA1 hash: 53df8d471d1b0f5fd2b0d11f15c44c2a08e43130
MD5 hash: 3d6bbb095f2800b2e08b55c4937b180e
humanhash: five-ohio-table-sierra
File name:21063fbe8f41527df5613ed1fec86e81f25e7649ecee5.exe
Download: download sample
Signature AuroraStealer
Create hunting rule
File size:210'944 bytes
First seen:2023-02-15 20:50:20 UTC
Last seen:2023-02-15 22:28:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 308f6e5717c80fbda640d081ccf649e4 (11 x Smoke Loader, 5 x RedLineStealer, 3 x AuroraStealer)
ssdeep 3072:rFnyk91VqX3vlRBfsO/EWnVmuOqXW2xrck2Z7rXGJ634ElOMG9dfYpTy5JM:rVyssdRBfrMWngudX9xrctZvXGJ3El5
Threatray 16'263 similar samples on MalwareBazaar
TLSH T1B524CF3276D19472F26306318F66C6F5AB2BF871CF75AA9B2784462F0E717A2C711312
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9892c4cacae2e0e4 (1 x AuroraStealer)
Reporter abuse_ch
Tags:AuroraStealer exe


Avatar
abuse_ch
AuroraStealer C2:
94.142.138.4:8081

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
21063fbe8f41527df5613ed1fec86e81f25e7649ecee5.exe
Verdict:
Malicious activity
Analysis date:
2023-02-15 20:51:27 UTC
Tags:
trojan loader smoke
Link:
https://app.any.run/tasks/a91c44b6-7a35-48ca-883b-f2f0c8246df7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/366858/
Detection(s):
Sanesecurity.Malware.28842.BadO.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Reading critical registry keys
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/63ed45b7a284a94c2ba0b0ee/reports/9903a489-4c60-4ebd-b02e-65220f2ab523/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/21063fbe8f41527df5613ed1fec86e81f25e7649ecee571ec24115f8d40e0273
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f0ef511-94bc-4823-949e-875034bfcd8d
Result
Threat name:
Aurora, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1176171
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21063fbe8f41527df5613ed1fec86e81f25e7649ecee571ec24115f8d40e0273/
Threat name:
Win32.Spyware.Aurorastealer
Create hunting rule
Status:
Malicious
First seen:
2023-02-15 20:51:06 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
15 of 25 (60.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eedd7pupifjh35lbh3i75sdoqhzf45sj5txfohwciek7rvaoajzq._file
Verdict:
malicious
Similar samples:
1d0b756bd67465442e0c3932349a44eba5a0097204ddb32e89d6b1e31327dab0
AuroraStealer
351847f0353126ada8c1fbfe8171aba02ac699050bdae6af327447f9ef75e601
AuroraStealer
51c5649c6dfa46f694fa3aa6e80ea015d8f3a9b66e016dfc0d19022bdf937263
AuroraStealer
56efcacfde1c2964e3d83156e99dbc29bfbcf8a2382c614472b08fa01a62c76f
AuroraStealer
87e2ac245b2276d84c64ce5b1694c10b76176580978c98cfcd8a9f1832409513
AuroraStealer
918149b8181fa53447a30a98df067e0c2ba9632f86a0d2bef8d4be0606344db8
AuroraStealer
c68cfdcd57cd915933a4a6df075812c488b1faa3066ba2fafd9f9b89d6b6d350
AuroraStealer
cdcb5030c80a230d19adddf4c5e40fd04af80ee359829f0ca628b5b13ae97e71
AuroraStealer
e06cf1b1082105bb494d1c540ecf0baa420c0ab25222810f45872fcd3e49138c
AuroraStealer
ff35e345404562b76995847c539f3016cce64e31b7d68187641532e1dafcff1e
AuroraStealer
+ 16'253 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor discovery spyware stealer trojan
Link:
https://tria.ge/reports/230215-zm5z6aeb32/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Reads user/profile data of web browsers
Downloads MZ/PE file
Detects Smokeloader packer
SmokeLoader
Unpacked files
SH256 hash:
57d57c0a8564dec73c5dfde1d20eb1c412eae4d69ff9b6c13164d2598c635319
MD5 hash:
728cbb098020dfae32eef9756b17b4a9
SHA1 hash:
4ce2b91287009490ad2573346aedeb60cd9ca33e
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/3cb74b0d-fbac-4c68-8eb2-fa31ec1aa055/
Parent samples :
9bde4566e2d4a14db5f7f185261c4a42cb54606220ef8fc6e3ca4014307ec6e1
27af32a0fb394c5def392f654d808fd6d70965f69f8d7864b47d86f09323e9e5
56391ef80a41fa12a0488f69af8f55765a5066f681c317cfc159fadd3558f076
76484f37eec1f39bdee7340357196dab1092024b62e35cffda65b79071990a89
fc9b641b739432101f1d21c296e4791ad4e09a5712ecc47a82f99b1f6588c675
f5f8bc4de709b8e087d07dffb4b166fc74b6f94573b9e155047ab8cf3bc9a9f0
39bcef72c1d63be1b223247807de8e81dc5735163100427b4626510167922c2f
cf51bc057f6b5faae5eef862759fc80d999e0b48da5d123cd65d9f5bcf06c7b5
ecf497b7117deebe7847f7b308a00684738319c774304c36621188f1964e1ce3
6777fb49f3b7b0683745801508d19f792715107d8bbb6e2c9b77e3b6dd90cdad
92f7063fc037fc2b18f0c78afd4463734ebf43dd2936b2b4398cab47da7ab1e5
d469d2a733240cf3839366dd1c0ec57ae6b218304894afa7236606d8cedf488b
3a99389b880ae3f89214477a855bb16090ca2b50816c864527ea9bf97f1ef182
08f5ac47b3775e23096ed6113a609fd46971e2f3ffc9d97c7f28a93fa446987c
b9d500089d2b663cc2a61c85ef3ea3320dc7cc90f6cf82983e72d3ad1f433b2c
83b6484009cd1bd51d0163b1a322221b0eac4639c103bcde811d98ced952a40c
4753b1d055e7872c58c94c05598ce16f0556365b1b6fb86d71b9bd7eda59b523
b40cf8e538f2c6e214fd1393f9fc5d556a91e6e49d7fc3a855e10b29c69fb185
b0aaaed2223c561040ede536bd6ac63a4910f7f231c3be0f0a909f1a80defc51
e7c3cff0ae5c18797117676076ccd7c501fc47d2e0da7e61826ed234eb4bed43
4de83560a88904770daab30fd5a2892f60d95c48f5db331499981489ee03ab57
c73ef09e477da35d5bb45f38f95cdda7f55f3ecd1b70bbd44bd21821cfd04a9c
cff9384543d02b9b90491d23ea9d3cb4a19416f8994176e82463787a9810257a
6675b1544041573e945a32a1e25cc7f72324daeacaca978702f1b3e4f15444b0
646d5f8716f7b3877f744a3087fb8b04dd2259ca386047292134d7a372b8b5ee
c48b6c5b3bad17a697498863f33b6d468a77af2b9cab8b9c3896f8b074ff8ea5
253c30cb71da9048557691a67f05e87c83c103c691b27e17674805eb0aa08aed
cee9ac5b2939194b5e86eb7e3cf1bbbf47999cfc10d5759eea3924f11d35b50c
871b6be06ffa50dba84271d72417b99ba67b701d773cac304138bca582e0f1b9
d1d6cb926e13808764271dbc10680e34ab3665997731a8b650c6e8fa27a24097
a0c596054ba3c272a4138874f918347bc9d3d67370a66fc1f1152cee60ae9546
680ba889fe8404eae74f3b037e9acc69703c8d96f311314d25f9e04e6177cc3d
27501e55e31ad207203ef37745df5d44d60514d6affe54ca3eda94060e7b0d6c
2654475cea33d0b2cdec44ffff6290b987d5de1d0be3fa7a53bbd93b6bce28c9
1748f1b8ff48ebe68d7bc6e2864424f6c4af667a73b6d18861b76aa9771ccb6b
43a9f0409fde0327f0182a3973c267743c5619ffc985c9952457d972eea7a506
4d79b7488391f7d95b18e48aa1fcb8a4a659607a79b42856220430dcbda10ed7
9de08a9d6131e56db8e1f67f14d4f5374a29d5afac971eac4afd66ec3ecbebfc
45f4b6f04bd3858d8f2c6ae699d9c38828aadcb56c2cdb4c24cbdfe8590c88a8
1d5d32418c5fe0c3d196fdf89115f606ab80a17273f3b218b9c1578001ea6aba
70f8c2ea59d53f53e787ab22e60128f1bc3aba6c85e3cb413e69ff2fb5aad129
116d2a223334379de7387f0d5026b99ca8fb93231a69dc9f45c2fb1c73800e0c
df25912c1ea938ce4084ca5a0bd710fd636353f47f4ed45e12a7b2218dc3691e
46763a6c69ef95bcb1e5f62b7d2cfbfe60c26df1b65a0731a3b3050d85229660
8a29e1c6c28c4124ac50b1dd1424ad8e7316eff59cb4b9a6dcafb9556aee4d64
a108cb7fb55413596c27e5c26ab7504de599e3887fc89270d0d3610ac3c81c7a
0cb4087b8d532e5fae9ff5d39815fd9b394f9e12cbf783a32329f925022350bc
20b4ea1f84a5e558f9665e34dde6f63139f0d71308d7175b2b19f7d7a27415b6
cb0f791c1ccc430d02b0e951a689b4a34f6823d1097fef5e81d3099a2851c731
732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516
af1c47083cde473c274f24477088df0084cbfd82bd90b64fb67b5aaee4dca820
ffbd7d675bcd4f230a06234d3d6b0121ed728e98ed60127c6bada7e1d4c1afba
edd4bdbdd4718c8e28c0e35043c199a4beed017857aa8add3d3079e7ffdc5b4d
5c4e05a0c7fcaa16fdcb3ce45e19b5706197d53bcc92329f883a0da3ddcbde9c
c765c5eff31e5a55a24fc3b5a9ae0ff6e3b8d73f4ae863f3177e99e9b32a3d9a
e0e3705c5fcef8f160ebe209e6f5e2e872f6168b80634ba50cf0bd940f130267
32b2911f42f6973883ef52d8d56cafc12aa01e38142782f3c5a54f3c4b5b5320
58c5bdd58725bde8e93de886595b457295582fdd1848838741ec5461c8cdef49
050c2acd0f467ab6089c32fa9b0921bb1685ef697b6ef2ed7509db4e18eaff9e
853b424c47207c0f989bddab7a6ea8774e25126229bbaa122ea455612d652ef9
f8280593a2b0675b0cf5ab201457706593cc5fb6c6c789632825e578db8acd50
f4f641ef6dfb91df7d7071e7338ada9383ed6e0f1fd8df388fd8e2c1a54a98cc
c4c7dc85ff835323b9f3c0a41cc8a84c14731142ec23d161f90f90ee32058aff
91771c60412e06e8057a051502c45554b7ff66ab283b7e82065d863eec5d94c2
0d2740b8702d1908d1d5ff4055adde8cbf6199c34542c2522159622a4b6df1e6
a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4
a018d20dcabdca669d01a163c095b08d24dfd05f0c092776f8e938ec32141fbf
f26f96e09abbc77ca03bf7c1b884e455eb68f53c02854410ab5904802c92fed1
3d1c1f4d43e235a0803bf3c690c0db4a82c84efce9d842cd93dbdb335fa1d493
ea4e804e68f2593d3ada18fe9e5cf26754e6a5349e862d77028911d3ac613333
47a20ebc7f81cc8b99991644291d40b89c376f8fb820099317f6dca973f74063
274d76cc5803e8fd71f122659f2d0498ae4a85abeb201fe960bba4354975c426
8c5716696984dedf4f11e3c3aae1b86e94aec2594587a168a14d3d7032170135
2d1a40a6d316ad3ed0426cc17848db9f70664a7e63397308a8946d9de079d1f2
a19e2b87b1938f3e5282a63d510073f4264feb7d9e1763626dd9038db0c95d89
fd7d1eafb3ae05eb88577044b394b8cb58d3a0ae5e6d5a1bc935f7e0bd7ecc18
9f0d0d42b8c5d14f1cd98e79edafa729daca05eaae7dbdcfe940f19b83430e2a
b386457fb2917a1e71aa8f8e24ce577984a2679d518cf0c098d6175f6410b569
6a70bacccaa2d9ccc6f5320da5de46bf6cb9b1e23a22fd6fc0a7e59ce10eee25
bb1c58e417728f1e7c4e57eca95644744868b75145124123114a45652f8361fe
15177b57aeee8322fd44fda943d9224bee553c9517c9a8955c08f3d80682bb4c
971ea7e0b272253b8902258a426e1a532bcebe740060889860424068d088e0aa
2568be086143b8b0226d938449f3563e90d2ee0ef0b3370966c01df9c8f1143f
928b339a13c0dcfbaae8b9fc1d0489de4795a0f6c21b6d94832b30c31bf10907
2665361cf05b16f5e4a06e0854b242bf8af84443a9a58fdf20781a56a0be4aea
52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb
21063fbe8f41527df5613ed1fec86e81f25e7649ecee571ec24115f8d40e0273
87e2ac245b2276d84c64ce5b1694c10b76176580978c98cfcd8a9f1832409513
afdba8818e9f4f43f1cfb47544f26522aa5f0d9573248a6b9fde2a39666524ec
35d7bfaa55b73ca97da12fba7a06328783358576034ed126c1f727ed34effb68
0a25ac441bb2adabe39c3349c625f2fa673ba097747f593bd1d5bad65217d8c8
4c5e2a7c5a9f5bc9ead0796915e4aabd5e0019740adb6285fb069e7f7d87d752
ad6f723c0a7f57f859fef6843560ed080145964eb0625a716dc0f8424887dfab
41b4cc711899e88e5a7ddc2977d9f817f230e4186841a0d26bd66f26281562b6
d17f888c333bda95a3ced58ab0abc8b3a238bca5035855afaf3a2d7dfc977312
e7d5602c5cf9c13c2dcae7dca51bbcfcba3366066e7a31e007d7e3c28e1819db
f2f4ea45f2fc943f867edcff5f7395d9565d951310d74f050c2decbd0ef3a8e0
c1f74a63a2a09105ea6edc097da6bda018a24eb223d9007d65d4ee6963dd6c14
f4470e707ade0ff091f079efb030b6a503951dc13196d29878ff6922ae659064
1e0ad8cf6e716ae54e58580a9a9a97bc131f3131723cc0b80f85163943ed8ad9
b45d683efd7ec95afd23317e2c0e9ca178b16c0d9f4f3c2363035dd10e24698a
60a9b2c51e2cc25003cb1edc5698e0aa7f1081f874648459fc3dc672c2e36224
2055132738e70e6401b812697c3111beb6a7e091e1cbb29b5cd7dbe23f7df068
84e51ffdf5d7d5804fa4777ecbe8e92ef95b7137298237c5b28b83061a5d4dd5
b06b1b4d5a9dddb0d067a38fdf2b3b872d974ce1379c4101ab13aa1a6f143b13
091dbad724980aa725a71055aee69323fb38d2e67a4ac37d823ea54680055ceb
30bf64e341bea879fd1230840a4e85fb1419631f45ad94c8d44cf46422cb417b
554ada736c1aff6b50950b1a8588faaa4b67f1732620aa57afcc8f580477523a
c6ac58a817fe096250fff6b25e2f93dcd8266876cf81652d340e29e00ee5fa28
2aa56a2670c094df927e727f7f6ea08e075ea7960d02c4299c97c29843337b95
5079d940ab2475a812aae6ca021a2e6879304ab1ebd2fdbabb693271180c6578
19d17b27a1b48b46683e2ff55d56945412d0588adc2eca846026512c0a3e8290
98fcd30002462d9efb03f43cac3994b62c60f393a7b1bd039103d46f34612ffe
c1790a04ef26812df41cf7e74d73bea3d4cdccca2358e75efcffc0d0bea93c3b
1cfcab2db6eb7dce5af3f5845d592fe72d5be1e517d8832311dbe551e4d751e0
ac450054f847ade7afbcc10f52ab7378d3451cf96785a6a4fb1c5fe36c4beb3d
1fa3662c1da1480b05b0e7ff9d80b9b233401a4925da59f62c4313b21468cb44
d91dc1d99dc2e79cc4fac2ab1a9a3d69626cb566b619998206154bf0d128bf64
4164dd0414e1609215a9855e2f58ef204883de1f467f4c0708cae439f70b1f0e
3334d21a0b380c527cf62e681719e35f80b43c0ac7da1b1ae5f07785f437621d
80b0b7d673a4ea4590edc5a52092751f61871ab72a8d3a4087c85b2e929dd6aa
1609bd4206060111c2bfcb349fbe71c2bd4d6ad2a99b5d9c393c49444e9ea751
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f
b2259d7d5ddf3a60edaa2c0029bef3d639278866a8e0871cd9aa2cf6c7e8885f
0de527b77059d353497e0e6918dd6130dd63ee0ace25a50eff57eb2bbbe075c4
50302a76db54396b6775562edd8a67932ffa653cbdc40ce17910278f51f80db0
3950204208a195a37353f75b060a38cf17e2591e0fdf2855607eb5dad4e22c0e
6b2b19e169923a9765c225d8904983a3b7421e0d7c0e8df299721e55dbe8c01a
c8a5519db64b4918c2e21b13c8fd75ea10ab0d05d49b241807e881dac9ef05a1
7eb599e27373d4eb4a852426a0935cd04baebaa77d21007be744fcdf5a5a0922
7dc4b1f8a0ed5aafe220796b0edec7e53f1d9fc06b6c356e3cd967dcd2beb366
98e2adbab29c57b143ce56eebfa10e13b3f9624b98320a4168760eb46ca22209
35d9ebbf77018a3e27069deb7dd9742eb632da1e89f9ba8d484a49ad6ad497bf
ea7923417b3cc0114c8c46cef7e2a797eb2ee978a0350a0d95a784ff151ca0f4
c6df64c1c448ccfccd92366ee2bdbb28c413fda5ba9aaaad1648caf76d6950fb
SH256 hash:
21063fbe8f41527df5613ed1fec86e81f25e7649ecee571ec24115f8d40e0273
MD5 hash:
3d6bbb095f2800b2e08b55c4937b180e
SHA1 hash:
53df8d471d1b0f5fd2b0d11f15c44c2a08e43130
Link:
https://www.unpac.me/results/3cb74b0d-fbac-4c68-8eb2-fa31ec1aa055/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/21063fbe8f41/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21063fbe8f41527df5613ed1fec86e81f25e7649ecee571ec24115f8d40e0273

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AuroraStealer

Executable exe 21063fbe8f41527df5613ed1fec86e81f25e7649ecee571ec24115f8d40e0273

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/366858/
  
URLhaus
https://urlhaus.abuse.ch/url/2534354/
  
Delivery method
Distributed via web download

Comments