MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1fd59641f5508ad3b1743e8d850b0a341527cb9d688c586c931e2f130d84c75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AurotunStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 4 File information Comments

SHA256 hash:	d1fd59641f5508ad3b1743e8d850b0a341527cb9d688c586c931e2f130d84c75
SHA3-384 hash:	bc12a3905b95fb02dd8dce6675a776b3e8dcb433ea3fbd56dc576eb5c4fbadf6b5461b351ea61ca9696f2ae0fffbf483
SHA1 hash:	0c7e4737327de3c17763c5427669997f11b2ae53
MD5 hash:	a014ade42dbc2013c25fc17103f7e5da
humanhash:	zebra-burger-snake-edward
File name:	d1fd59641f5508ad3b1743e8d850b0a341527cb9d688c.exe
Download:	download sample
Signature	AurotunStealer Create hunting rule
File size:	6'198'784 bytes
First seen:	2025-08-08 23:50:17 UTC
Last seen:	2025-08-09 09:16:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	75a20672afc7bfa2e72f3631474db75d (4 x LummaStealer, 2 x Stealc, 2 x Vidar)
ssdeep	98304:w6S0VMURGDrhEXXeqx1/94d/OeNhBuZ5anfiQFxRt9tBTtSw8xfH8Y:vS6UhEXXeqx1/94RxuZGKQz5tnkX
TLSH	T1DF561225E879D0D6FCD341B177599252A4327F7B8F2C6A9B40F48B40124AEEE173B12B
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	AurotunStealer exe

abuse_ch

AurotunStealer C2:
45.32.188.16:7712

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.32.188.16:7712	https://threatfox.abuse.ch/ioc/1566575/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d1fd59641f5508ad3b1743e8d850b0a341527cb9d688c586c931e2f130d84c75.bin.exe

Verdict:

Malicious activity

Analysis date:

2025-08-08 23:33:17 UTC

Tags:

upx aurotun stealer

Link:

https://app.any.run/tasks/09db0e04-ad8b-4eda-b8ea-c832f45a806a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/19779/

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.89889526.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68968d561e8a59ee04e7b4db

Tags:

backdoor virus krypt

Result

Verdict:

Clean

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68968d519ef4d2ff7cf36b06/reports/97c5d762-2c0a-483b-96ad-5253bdc09dc3/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/d1fd59641f5508ad3b1743e8d850b0a341527cb9d688c586c931e2f130d84c75

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/499e2a0c-fa75-4c94-bea4-99e1fdb40a02

Result

Threat name:

Aurotun Stealer

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1753438

Signature

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Sets debug register (to hijack the execution of another thread)

Suricata IDS alerts for network traffic

Yara detected Aurotun Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d1fd59641f5508ad3b1743e8d850b0a341527cb9d688c586c931e2f130d84c75

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 64 Exe x64

Link:

https://app.malva.re/file/a014ade42dbc2013c25fc17103f7e5da

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d1fd59641f5508ad3b1743e8d850b0a341527cb9d688c586c931e2f130d84c75/

Verdict:

Malicious

Threat:

Family.AUROTUN

Link:

https://tip.neiki.dev/file/d1fd59641f5508ad3b1743e8d850b0a341527cb9d688c586c931e2f130d84c75

Threat name:

Win64.Trojan.Amadey

Status:

Suspicious

First seen:

2025-08-08 23:33:18 UTC

File Type:

PE+ (Exe)

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2h6vsza7kuek2oyxipunqufqunave7fz22emlbwjghrpcmgyjr2q._file

Result

Malware family:

aurotun

Score:

10/10

Tags:

family:aurotun campaign:second persistence stealer upx

Link:

https://tria.ge/reports/250808-3vygtszwgv/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetThreadContext

UPX packed file

Looks up external IP address via web service

Checks computer location settings

Aurotun

Aurotun family

Detects Aurotun stealer

Malware Config

C2 Extraction:

45.32.188.16:7712

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b20088e5-6115-4590-ab67-23b11ece5962

Unpacked files

SH256 hash:

d1fd59641f5508ad3b1743e8d850b0a341527cb9d688c586c931e2f130d84c75

MD5 hash:

a014ade42dbc2013c25fc17103f7e5da

SHA1 hash:

0c7e4737327de3c17763c5427669997f11b2ae53

Link:

https://www.unpac.me/results/ccf29335-3ed8-4066-92ff-56cdf1d96ec5/

Malware family:

Aurotun

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d1fd59641f55/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d1fd59641f5508ad3b1743e8d850b0a341527cb9d688c586c931e2f130d84c75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/19779/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW
WIN_USER_API	Performs GUI Actions	USER32.dll::EmptyClipboard USER32.dll::OpenClipboard USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample