MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82d04762d34a17722a386cd7ba5363f134a662068b21ca690df23e3fcd10fa3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AurotunStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82d04762d34a17722a386cd7ba5363f134a662068b21ca690df23e3fcd10fa3f
SHA3-384 hash: 076dbfd85009d777c2afaa476d865c4f13724f0584ff4b806d02b085fa142c4d4d9ebe99208eee932704e620ac2a5143
SHA1 hash: fb6ab4cb742740b3f14d45ca0dd86f7bc3ea0e0b
MD5 hash: 54c1a2996fa3f5f41c79018fcda15b39
humanhash: minnesota-spring-zulu-undress
File name:82d04762d34a17722a386cd7ba5363f134a662068b21ca690df23e3fcd10fa3f
Download: download sample
Signature AurotunStealer
Create hunting rule
File size:3'364'798 bytes
First seen:2025-07-19 03:52:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (430 x NirCmd, 392 x DCRat, 52 x RedLineStealer)
ssdeep 98304:F4AGl0T3RCVLASWCA2z3lsQQPX3GDnX3uZTExL:WALcVTz3lsr3GLOExL
TLSH T19AF52300FED198B1E0631AB65E397711A9782D609FB18EDF5780099DEB358C1D932FA3
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter nickkuechel
Tags:Amadey AurotunStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
36
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
82d04762d34a17722a386cd7ba5363f134a662068b21ca690df23e3fcd10fa3f
Verdict:
Malicious activity
Analysis date:
2025-07-19 03:52:47 UTC
Tags:
amadey botnet stealer loader rdp auto-reg lumma arch-exec telegram auto purelogs purecrypter possible-phishing stealc ultravnc rmm-tool themida aurotun evasion generic
Link:
https://app.any.run/tasks/098aae45-af6a-48ee-a42f-ea7d47c61688

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/15597/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687b167d2f623871a5eff5a6
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Launching a service
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm autoit evasive fingerprint fingerprint installer keylogger microsoft_visual_cc overlay overlay sfx
Link:
https://www.filescan.io/uploads/687b16788a7d628a81b74ce3/reports/480ab462-ee28-4341-afe4-33aa80b2e280/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/82d04762d34a17722a386cd7ba5363f134a662068b21ca690df23e3fcd10fa3f
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44ba3d71-71c3-4f17-bc0f-74734d1abc50
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/82d04762d34a17722a386cd7ba5363f134a662068b21ca690df23e3fcd10fa3f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/54c1a2996fa3f5f41c79018fcda15b39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82d04762d34a17722a386cd7ba5363f134a662068b21ca690df23e3fcd10fa3f/
Verdict:
Malicious
Threat:
Win32.Trojan.Rasftuby
Link:
https://tip.neiki.dev/file/82d04762d34a17722a386cd7ba5363f134a662068b21ca690df23e3fcd10fa3f
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2025-07-17 09:00:18 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qlieoywtjilxekryntl3uu3d6e2kmyqgrmq4u2in6i7d7tiq7i7q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
admintool_nsudo
Create hunting rule
unc_loader_051
Create hunting rule
admintool_nircmd
Create hunting rule
Similar samples:
error
AurotunStealer
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:aurotun family:deerstealer family:lumma family:stealc family:xmrig botnet:9fa1e2 botnet:cause collection defense_evasion discovery execution miner persistence spyware stealer themida trojan upx
Link:
https://tria.ge/reports/250719-ee9m6adp7z/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Detects videocard installed
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
ConfuserEx .NET packer
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
Aurotun
Aurotun family
DeerStealer
Deerstealer family
Detects Aurotun stealer
Detects DeerStealer
Disables service(s)
Lumma Stealer, LummaC
Lumma family
Stealc
Stealc family
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Xmrig family
xmrig
Malware Config
C2 Extraction:
http://176.46.157.50
http://45.141.233.187
https://gehkmx.top/xkaj
https://thoqp.lat/zidw
https://unxyng.top/zpld
https://trbxlj.top/atiw
https://cooawbi.top/dpla
https://ourkbpw.top/aoti
https://sacrp.top/amnt
https://dktnd.top/xuqi
https://cichau.lat/agbn
https://t.me/partisanclan
https://swalocf.lat/atxi
https://gigohe.top/diau
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d2344aa3-50d2-4241-a9ce-1c6612477429
Unpacked files
SH256 hash:
82d04762d34a17722a386cd7ba5363f134a662068b21ca690df23e3fcd10fa3f
MD5 hash:
54c1a2996fa3f5f41c79018fcda15b39
SHA1 hash:
fb6ab4cb742740b3f14d45ca0dd86f7bc3ea0e0b
Link:
https://www.unpac.me/results/dfe71109-b4f0-4386-bbae-344d9a50a540/
SH256 hash:
cfed1d1c48d23496138f163f5a8d97aa2e766ec86fb805b8a533f2a2c70d0653
MD5 hash:
0a1ddf7dc8a3dd836e4c0519bcb04d17
SHA1 hash:
86e33dac2d20f07c54e07459890cd3e9f37d71ec
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/dfe71109-b4f0-4386-bbae-344d9a50a540/
SH256 hash:
1a4c2728c1e7c4eac30811ef38513c8ee1416ebc11e47d9cddacdf6f52776c27
MD5 hash:
a269b098a8b9171c0c437ca42bbd7ff7
SHA1 hash:
b753407ad323e9b42f2670bfe1f33ae75620c7e3
Link:
https://www.unpac.me/results/dfe71109-b4f0-4386-bbae-344d9a50a540/
SH256 hash:
805add5feeeae17788fb6a98e6c2ed8eecb7c0a31994489b6f5db7e879971086
MD5 hash:
90c11eb97f32a2e75a36925b879aa6ea
SHA1 hash:
ce77dcd79765ab773a48544e3692b77312e67a5e
Link:
https://www.unpac.me/results/dfe71109-b4f0-4386-bbae-344d9a50a540/
SH256 hash:
c43a69d878e29d697c22d4b0f3ce6f50b3a2152801adf4381139ec187be16410
MD5 hash:
62348f492a601ebd7815376b68ba358e
SHA1 hash:
7938574f5de9d459bd11b3349c41a65b6fd0cd74
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/dfe71109-b4f0-4386-bbae-344d9a50a540/
SH256 hash:
bd1f4c1b3d7bb873accf04236da2848fb093c3457a3d1d4eb05986aeeebc420a
MD5 hash:
d23dbe0f8cbafb87033b9a7f01472ce3
SHA1 hash:
1c621b91969feead4e4531a93167d9d559030998
Link:
https://www.unpac.me/results/dfe71109-b4f0-4386-bbae-344d9a50a540/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82d04762d34a17722a386cd7ba5363f134a662068b21ca690df23e3fcd10fa3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dcrat_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked dcrat malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/15597/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments