MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WallStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77
SHA3-384 hash: 5784260a401129033412493a6ea0304c9a09dcec27c7e1bf75f8137e133673a7d39c57c65919beb0a3bc4365432acc57
SHA1 hash: f523100bde0ce2dc8ed8b56fbb9a9e8679460b30
MD5 hash: 4cd375e418630fe4d3ff7caf08a15788
humanhash: stairway-nevada-don-carpet
File name:AuroraClient.exe
Download: download sample
Signature WallStealer
Create hunting rule
File size:383'488 bytes
First seen:2026-02-28 12:33:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ad84e9bbec1f11ee76f786dbd8fb80f0 (1 x WallStealer)
ssdeep 6144:ZbKtVwDpnCHHi+46FXg6qF1B/zIUkYieBoVhl4slHWinoVHNLXs:FK88HHv463qlzbieqDisxfok
TLSH T1D9847D06E6A504FDE16BD138C9525902FB727C4E47A1DBCF23948AA61F236E09E3F711
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter burger
Tags:exe WallStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
https://www.mediafire.com/file/6ind14y7lapujvd/Aurora.rar/file
Verdict:
Malicious activity
Analysis date:
2026-02-25 20:33:20 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/1b390c5d-03ba-4f78-971f-16b9f4b79113

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55001/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a2e0488fffa866e3b34811
Tags:
phishing cobalt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 crypto evasive fingerprint fingerprint hacktool microsoft_visual_cc obfuscated stealer
Link:
https://www.filescan.io/uploads/69a2e0c610e80629d4f6891c/reports/bb9fc6de-aa99-4c67-8c63-ae191ca79348/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan-PSW.Stealer.TCP.C&C Trojan-PSW.Stealer.HTTP.C&C Trojan-PSW.Lumma.TCP.C&C Trojan-PSW.Win32.Vidar.hxs Trojan-Downloader.Win32.Agent.xydppo Trojan-Downloader.Agent.HTTP.C&C Trojan-PSW.Vidar.HTTP.C&C
Link:
https://opentip.kaspersky.com/e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1568cb49-aec6-423b-8131-c07441533398
Result
Threat name:
WallStealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876352
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking volume information)
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries Google from non browser process on port 80
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected WallStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876352 Sample: AuroraClient.exe Startdate: 28/02/2026 Architecture: WINDOWS Score: 100 64 interactiom.top 2->64 66 www.google.com 2->66 68 3 other IPs or domains 2->68 90 Suricata IDS alerts for network traffic 2->90 92 Antivirus detection for URL or domain 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 6 other signatures 2->96 9 AuroraClient.exe 150 674 2->9         started        14 msedge.exe 2->14         started        signatures3 process4 dnsIp5 70 62.60.226.97, 49712, 5553 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 9->70 72 www.google.com 142.251.32.164, 49693, 49698, 49703 GOOGLEUS United States 9->72 78 2 other IPs or domains 9->78 46 C:\Users\user\AppData\Local\...\file_1.tmp, DOS 9->46 dropped 48 C:\Users\user\AppData\Local\...\file_1.tmp, DOS 9->48 dropped 50 C:\Users\user\AppData\Local\...\file_0.tmp, COM 9->50 dropped 52 3 other malicious files 9->52 dropped 98 Found evasive API chain (may stop execution after checking volume information) 9->98 100 Adds a directory exclusion to Windows Defender 9->100 102 Queries Google from non browser process on port 80 9->102 16 upers.exe 9->16         started        20 powershell.exe 23 9->20         started        22 powershell.exe 23 9->22         started        30 2 other processes 9->30 74 192.168.2.5, 138, 443, 49276 unknown unknown 14->74 76 239.255.255.250 unknown Reserved 14->76 24 msedge.exe 14->24         started        26 msedge.exe 14->26         started        28 msedge.exe 14->28         started        file6 signatures7 process8 dnsIp9 54 interactiom.top 151.243.113.70, 443, 49717 RASANAIR Iran (ISLAMIC Republic Of) 16->54 56 steamcommunity.com 23.222.161.105, 443, 49715 AKAMAI-ASUS United States 16->56 80 Multi AV Scanner detection for dropped file 16->80 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->82 84 Hijacks the control flow in another process 16->84 88 6 other signatures 16->88 32 msedge.exe 16->32         started        34 WerFault.exe 16->34         started        86 Loading BitLocker PowerShell Module 20->86 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        58 13.107.213.69, 443, 49738, 49743 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->58 60 part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49704, 49725 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->60 62 34 other IPs or domains 24->62 40 conhost.exe 30->40         started        42 conhost.exe 30->42         started        signatures10 process11 process12 44 msedge.exe 32->44         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77/
Verdict:
Malicious
Threat:
Trojan-PSW.Lumma.TCP
Link:
https://tip.neiki.dev/file/e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77
Threat name:
Win64.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-27 01:50:44 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=42kpe2zesbinyaab4serdqjyd27jgcfil2dk7tqwthltb2vmpn3q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/260228-prvd4sgt9g/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Time Discovery
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Unpacked files
SH256 hash:
e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77
MD5 hash:
4cd375e418630fe4d3ff7caf08a15788
SHA1 hash:
f523100bde0ce2dc8ed8b56fbb9a9e8679460b30
Link:
https://www.unpac.me/results/2bf26387-f3b4-46bf-934b-767844ba40c7/
Malware family:
WallStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e694f26b2490/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

WallStealer

Executable exe e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77

(this sample)

WallStealer

Executable exe 0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0

Cape
Cape
https://www.capesandbox.com/analysis/55001/
  
Dropping
SHA256 0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0
  
Dropping
MD5 e76586ffea5c92002e4a8edf60b64bfe

Comments