MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d655fbe6c21192193bb23ca587448aded5216824f8544408d20537768edf3a98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AurotunStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d655fbe6c21192193bb23ca587448aded5216824f8544408d20537768edf3a98
SHA3-384 hash: c1eab81240e8ecd14f4765d07f6a993e92a1b2a07b416a96524e4c5f292bc3736c2d48184d609c9061ca659c1850d9a1
SHA1 hash: 5c90c51d54c3efb86e9309b12c289c935eb051b7
MD5 hash: 97aeefb7899710c369c7675101738464
humanhash: single-may-hamper-ink
File name:flare.msi
Download: download sample
Signature AurotunStealer
Create hunting rule
File size:21'438'464 bytes
First seen:2025-05-22 10:07:09 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:epzAZ+MxiA5P255gNbUr/rZzBbXkPtdqLxZn7v8X5CcqvxQE0DyLEYDlmzZs:dZIgNbUT1bnnAJ3qvxJ0DFGmz6
TLSH T163271225B6D945B4F07A917484A64B56EB723C25136096CF03F0BA991F3BFE06E3E702
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:83-217-208-77 AurotunStealer msi

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
83.217.208.77:7712 https://threatfox.abuse.ch/ioc/1532659/

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ef7dec28c67d66644623a
Tags:
shellcode vmdetect virus spawn
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypto expand fingerprint fingerprint installer keylogger lolbin packed wix
Link:
https://www.filescan.io/uploads/682ef76afd02ed5e05823f42/reports/84b92320-1f02-44eb-b84b-8bdcc44a9623/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d655fbe6c21192193bb23ca587448aded5216824f8544408d20537768edf3a98
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/d655fbe6c21192193bb23ca587448aded5216824f8544408d20537768edf3a98
Result
Threat name:
Aurotun Stealer, MicroClip, Stealc v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1696750
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Aurotun Stealer
Yara detected MicroClip
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696750 Sample: flare.msi Startdate: 22/05/2025 Architecture: WINDOWS Score: 100 54 marupizza.com 2->54 56 api.ipify.org 2->56 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Antivirus detection for dropped file 2->70 72 11 other signatures 2->72 10 msiexec.exe 3 10 2->10         started        13 Hueta.exe 2->13         started        15 msiexec.exe 5 2->15         started        signatures3 process4 file5 52 C:\Windows\Installer\MSIEBAC.tmp, PE32 10->52 dropped 17 msiexec.exe 5 10->17         started        process6 process7 19 0xNJCOTKOHJV.exe 2 17->19         started        24 expand.exe 4 17->24         started        26 icacls.exe 1 17->26         started        dnsIp8 58 83.217.208.77, 49687, 7712 INF-NET-ASRU Russian Federation 19->58 60 api.ipify.org 104.26.12.205, 443, 49690 CLOUDFLARENETUS United States 19->60 62 127.0.0.1 unknown unknown 19->62 44 C:\Windows\System32\Hueta.exe, PE32+ 19->44 dropped 46 C:\Users\user\...\A0DXE3WfRXBG1MWsi0ry, PE32 19->46 dropped 74 Found many strings related to Crypto-Wallets (likely being stolen) 19->74 76 Found hidden mapped module (file has been removed from disk) 19->76 78 Adds a directory exclusion to Windows Defender 19->78 28 cmd.exe 19 19->28         started        32 powershell.exe 23 19->32         started        48 C:\...\e492b1dcbf043845bc05d9a548298285.tmp, PE32+ 24->48 dropped 50 C:\Users\user\...\0xNJCOTKOHJV.exe (copy), PE32+ 24->50 dropped 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        file9 signatures10 process11 dnsIp12 64 marupizza.com 104.21.50.20, 443, 49696, 49697 CLOUDFLARENETUS United States 28->64 80 Found many strings related to Crypto-Wallets (likely being stolen) 28->80 82 Tries to harvest and steal browser information (history, passwords, etc) 28->82 84 Writes to foreign memory regions 28->84 88 3 other signatures 28->88 38 chrome.exe 28->38         started        86 Loading BitLocker PowerShell Module 32->86 40 WmiPrvSE.exe 32->40         started        42 conhost.exe 32->42         started        signatures13 process14
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/d655fbe6c21192193bb23ca587448aded5216824f8544408d20537768edf3a98
Gathering data
Threat name:
Win64.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2025-05-22 06:45:40 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
14 of 24 (58.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zk7xzwccgjbso5shssyorek33ksc2be7bkeicgsau3xndw7hkma._file
Result
Malware family:
aurotun
Create hunting rule
Score:
  10/10
Tags:
family:aurotun discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250522-l5wbsa1rv8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Checks installed software on the system
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Looks up external IP address via web service
Modifies file permissions
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Aurotun
Aurotun family
Detects Aurotun stealer
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/934cd1ba-68e8-4146-b7f8-cdbaf46e39bc
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d655fbe6c21192193bb23ca587448aded5216824f8544408d20537768edf3a98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:skip20_sqllang_hook
Create hunting rule
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments