MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d33a0e71a626c6de7f74e7801c207128f1fece031051273ae16d55dbb18831c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AurotunStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 24 File information Comments

SHA256 hash:	d33a0e71a626c6de7f74e7801c207128f1fece031051273ae16d55dbb18831c2
SHA3-384 hash:	0914f2fdf7a1cea8d895d254ebd02a8531e3c86386645451cf9cc6f855df88afe8c5a302f023939cf054fe6ada57117b
SHA1 hash:	85769ac8a2f93ff68946b282c762cfc6035930bb
MD5 hash:	100aa7bbcda081746a60ecde3fd0948b
humanhash:	autumn-arkansas-north-six
File name:	100aa7bbcda081746a60ecde3fd0948b.exe
Download:	download sample
Signature	AurotunStealer Create hunting rule
File size:	17'266'619 bytes
First seen:	2025-07-24 20:30:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efd455830ba918de67076b7c65d86586 (56 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep	393216:ZuYfcr8LOWI6ydyS23X3njBcsEL8et1z/rgiPl7WM3HEeDJubC:DLOWgZ23t9k1z0IH7DJubC
Threatray	66 similar samples on MalwareBazaar
TLSH	T12A073317A28B653FF07A47368AB7E252853B7B2199138C679BE4081CCF161D11E3FA17
TrID	48.4% (.EXE) Inno Setup installer (107240/4/30) 19.4% (.EXE) InstallShield setup (43053/19/16) 18.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 4.7% (.EXE) Win64 Executable (generic) (10522/11/4) 2.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika	pebin
dhash icon	a6eea0d2b6c0f81e (2 x AurotunStealer)
Reporter	abuse_ch
Tags:	AurotunStealer exe

abuse_ch

AurotunStealer C2:
85.208.84.32:2326

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
85.208.84.32:2326	https://threatfox.abuse.ch/ioc/1560460/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_d33a0e71a626c6de7f74e7801c207128f1fece031051273ae16d55dbb18831c2.exe

Verdict:

Malicious activity

Analysis date:

2025-07-24 20:33:00 UTC

Tags:

auto generic delphi hijackloader loader aurotun stealer auto-startup

Link:

https://app.any.run/tasks/b6052fea-68b4-4009-86f4-14d260926d64

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/16694/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6882980f0b4775fb21308416

Tags:

backdoor dropper spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Searching for the window

Creating a file

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Connection attempt

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Transferring files using the Background Intelligent Transfer Service (BITS)

Enabling the 'hidden' option for recently created files

Unauthorized injection to a recently created process by context flags manipulation

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

QD:Trojan.GenericQ

Link:

https://www.hybrid-analysis.com/sample/d33a0e71a626c6de7f74e7801c207128f1fece031051273ae16d55dbb18831c2

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/81f21092-b19b-4a66-9cb9-d597d07024e3

Result

Threat name:

HijackLoader

Detection:

malicious

Classification:

troj.expl.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1743738

Signature

Found direct / indirect Syscall (likely to bypass EDR)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected HijackLoader

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

82%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d33a0e71a626c6de7f74e7801c207128f1fece031051273ae16d55dbb18831c2

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/100aa7bbcda081746a60ecde3fd0948b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d33a0e71a626c6de7f74e7801c207128f1fece031051273ae16d55dbb18831c2/

Verdict:

Malicious

Threat:

Trojan.Win32.Penguish

Link:

https://tip.neiki.dev/file/d33a0e71a626c6de7f74e7801c207128f1fece031051273ae16d55dbb18831c2

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2025-07-22 08:45:57 UTC

File Type:

PE (Exe)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2m5a44nge3dn473u46abyidrfdy75tqdcbisooxbnvk5xmmighba._file

Verdict:

malicious

Label(s):

shellterloader

remcos

hijackloader

AurotunStealer

3d5b6a4d84b4f6d701e351024294c3c66f40c54e3cb5a08f58efd2d4db2befc2

AurotunStealer

6c5b16ceb611d4c80e77e0f62ea29b10664b19272b8bbca5dedd8050098c1b0c

AurotunStealer

82d04762d34a17722a386cd7ba5363f134a662068b21ca690df23e3fcd10fa3f

AurotunStealer

8c976b068ac5de37d56ac173cc28c36f7ebecf98c05d527defa282564919333a

AurotunStealer

c71ab381c16b8f14e2a83fbacecc33895966eb98de97bfe21b97c604241a7d6f

AurotunStealer

d9a121212fdccc282f12ca51a269f41cda3704361e39d139f0e7b81dbb380c94

AurotunStealer

ed8bd59c514a257fd97b34500a3aa6c177878272e468aeea3c8ddfa64f244312

AurotunStealer

error

AurotunStealer

+ 56 additional samples on MalwareBazaar

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:hijackloader discovery loader

Link:

https://tria.ge/reports/250724-zaj7xsdq5w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Detects HijackLoader (aka IDAT Loader)

HijackLoader

Hijackloader family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a1eea3a4-ca43-4778-ac2c-5182ec962a21

Unpacked files

SH256 hash:

d33a0e71a626c6de7f74e7801c207128f1fece031051273ae16d55dbb18831c2

MD5 hash:

100aa7bbcda081746a60ecde3fd0948b

SHA1 hash:

85769ac8a2f93ff68946b282c762cfc6035930bb

Link:

https://www.unpac.me/results/885a9b6b-56c0-4b44-8df1-e9783a1f1d9e/

SH256 hash:

8092b2ade20c9fb29f4d523d7c44100e0801215536177b86472eff81c09190f2

MD5 hash:

782c43f3d5fdc7317335727177af0090

SHA1 hash:

8622519c2cbe1ab4c76185fe00284ea3398bbd2e

Link:

https://www.unpac.me/results/885a9b6b-56c0-4b44-8df1-e9783a1f1d9e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d33a0e71a626c6de7f74e7801c207128f1fece031051273ae16d55dbb18831c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	ICMLuaUtil_UACMe_M41 Create hunting rule
Author:	Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:	A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:	https://github.com/hfiref0x/UACME

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Mimikatz_Generic Create hunting rule
Author:	Still
Description:	attempts to match all variants of Mimikatz

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	skip20_sqllang_hook Create hunting rule
Author:	Mathieu Tartare <mathieu.tartare@eset.com>
Description:	YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:	https://www.welivesecurity.com/

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	Windows_Trojan_GhostPulse_caea316b Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/16694/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	advapi32.dll::AllocateAndInitializeSid advapi32.dll::ConvertSidToStringSidW advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW advapi32.dll::EqualSid advapi32.dll::FreeSid
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges advapi32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken advapi32.dll::OpenThreadToken kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetDriveTypeW kernel32.dll::GetVolumeInformationW kernel32.dll::GetSystemInfo
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetWindowsDirectoryW kernel32.dll::GetSystemDirectoryW kernel32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample