MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b16443943739e3ec1b6b7a1ed8a6583fa3fbdff9b9cae622a2d65b72056874e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AurotunStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b16443943739e3ec1b6b7a1ed8a6583fa3fbdff9b9cae622a2d65b72056874e7
SHA3-384 hash: bb2614f5dd3f4383fcec23c9a7aac3edc121ab6d498aea66f9172a33dda31d268f418823f4c005bd4c5aff957659ff31
SHA1 hash: c9edb92d014a002cad327337f37b82597cb5905e
MD5 hash: c2e1f467ea60f06130d08694929977d2
humanhash: alaska-august-sixteen-oklahoma
File name:file
Download: download sample
Signature AurotunStealer
Create hunting rule
File size:8'050'688 bytes
First seen:2025-09-24 04:02:19 UTC
Last seen:2025-09-25 20:24:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 196608:qAxiyFBw6SsPk/CmAINlm8l3SZaz1d0c1:qARnS//CKNE8l/zL0c
TLSH T1E086330B961F5FE5F36132FFD0E79C095A91168048B75B6F27BE080ECF4492A6A5320E
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:AurotunStealer dropped-by-amadey exe


Avatar
Bitsight
url: http://178.16.54.200/files/7461826239/kffvoaA.exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
68
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-23 18:02:18 UTC
Tags:
stealc stealer amadey vidar botnet unlocker-eject tool loader auto-reg arch-exec evasion themida phishing rdp gcleaner anti-evasion auto rhadamanthys autoit lumma aurotun pastebin github darkvision rat payload meshagent rmm-tool websocket ip-check
Link:
https://app.any.run/tasks/fd66896c-436d-4924-a06e-b3f3b15181d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
MonsterV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28726/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.75737387.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d53ccd1e4783989051cb9c
Tags:
virus crypt remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Setting a global event handler for the keyboard
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated oreans_codevirtualizer packed packed packer_detected
Link:
https://www.filescan.io/uploads/68d36da0c24f53840f2fdf59/reports/0ab7e8c9-9e39-4274-8f66-6bd05c14542d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b16443943739e3ec1b6b7a1ed8a6583fa3fbdff9b9cae622a2d65b72056874e7
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-23T09:18:00Z UTC
Last seen:
2025-09-23T09:18:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Udochka.sb HEUR:Trojan.Win64.Agent.gen VHO:Trojan-PSW.Win32.Lumma.gen Trojan.Win64.Agent.smerzp NetTool.cURLGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/b16443943739e3ec1b6b7a1ed8a6583fa3fbdff9b9cae622a2d65b72056874e7/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dde9ef11-de05-49df-980c-4f4ba5bce3c5
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b16443943739e3ec1b6b7a1ed8a6583fa3fbdff9b9cae622a2d65b72056874e7
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/c2e1f467ea60f06130d08694929977d2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b16443943739e3ec1b6b7a1ed8a6583fa3fbdff9b9cae622a2d65b72056874e7/
Verdict:
Malicious
Threat:
Family.AUROTUN
Link:
https://tip.neiki.dev/file/b16443943739e3ec1b6b7a1ed8a6583fa3fbdff9b9cae622a2d65b72056874e7
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-09-23 14:15:34 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wfsehfbxhhr6yg3lpipnrjsyh6r7xx7zxhfomivc2znxebliottq._file
Verdict:
malicious
Label(s):
aurotunstealer
Create hunting rule
Similar samples:
error
AurotunStealer
Result
Malware family:
aurotun
Create hunting rule
Score:
  10/10
Tags:
family:aurotun campaign:tkt persistence stealer
Link:
https://tria.ge/reports/250924-eml7tszpx6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Aurotun
Aurotun family
Detects Aurotun stealer
Malware Config
C2 Extraction:
85.192.49.40:7712
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/bc05f526-07a6-44ef-b9c8-c190238be6ec
Unpacked files
SH256 hash:
b16443943739e3ec1b6b7a1ed8a6583fa3fbdff9b9cae622a2d65b72056874e7
MD5 hash:
c2e1f467ea60f06130d08694929977d2
SHA1 hash:
c9edb92d014a002cad327337f37b82597cb5905e
Link:
https://www.unpac.me/results/f1fba79a-680b-4af5-a1f5-d39b9af76f3c/
Malware family:
Aurotun
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b16443943739/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/b16443943739e3ec1b6b7a1ed8a6583fa3fbdff9b9cae622a2d65b72056874e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:cobalt_strike_beacon_detected
Create hunting rule
Author:0x0d4y
Description:This rule detects cobalt strike beacons.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:skip20_sqllang_hook
Create hunting rule
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AurotunStealer

Executable exe b16443943739e3ec1b6b7a1ed8a6583fa3fbdff9b9cae622a2d65b72056874e7

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3630790/
Cape
Cape
https://www.capesandbox.com/analysis/28726/
  
URLhaus
https://urlhaus.abuse.ch/url/3630971/

Comments