MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AurotunStealer

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 5 File information Comments

SHA256 hash:	f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081
SHA3-384 hash:	18e99d417c26a9df7e76bc0d4e71052f8965b00c3807ae492c4b0f62528019c306fd681f5f72689c62eea9ebe549bceb
SHA1 hash:	c052f4c67e155e5d17f9658ba87d3e2cc1137b7f
MD5 hash:	267cebc956e7b800f51cfdb6f5413d09
humanhash:	lemon-mockingbird-pasta-nine
File name:	267cebc956e7b800f51cfdb6f5413d09.exe
Download:	download sample
Signature	AurotunStealer Create hunting rule
File size:	17'997'955 bytes
First seen:	2025-07-20 21:40:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efd455830ba918de67076b7c65d86586 (54 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep	393216:ldXqDQyR8fM9b+xOzxGH6LfjL2aVGzrH3nnP/6az1+7Inb:bXqDQG8EosL5QrXaazvnb
Threatray	348 similar samples on MalwareBazaar
TLSH	T1D507331376CB213FF07E8A364AB6D226593BBA2455028C66D7E4086CCF6A1D42D3F747
TrID	60.0% (.EXE) Inno Setup installer (107240/4/30) 23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 5.8% (.EXE) Win64 Executable (generic) (10522/11/4) 3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	10d9e4564ce01824 (2 x AurotunStealer)
Reporter	abuse_ch
Tags:	AurotunStealer exe

abuse_ch

AurotunStealer C2:
85.208.84.21:23675

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
85.208.84.21:23675	https://threatfox.abuse.ch/ioc/1558264/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://fileport.io/YDU1hmAmxW2g

Verdict:

Malicious activity

Analysis date:

2025-07-17 16:35:41 UTC

Tags:

arch-exec auto generic hijackloader loader aurotun stealer evasion

Link:

https://app.any.run/tasks/eeeb7e22-d55f-4df8-9c6f-61260fcdb867

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/16012/

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=687d626384b37dd61ef00717

Tags:

shellcode shell spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Creating a file in the %AppData% subdirectories

Running batch commands

Launching a process

Searching for the window

Changing a file

Creating a process with a hidden window

Reading critical registry keys

Replacing files

Moving a recently created file

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Unauthorized injection to a recently created process by context flags manipulation

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context embarcadero_delphi fingerprint installer obfuscated overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/687d62647bc45bdee1b27a8f/reports/033a6f5f-8f94-41d5-bbb0-a5ad275c9003/overview

Verdict:

Malicious

Labled as:

Trojan_Win32_Wacatac_B_ml

Link:

https://www.hybrid-analysis.com/sample/f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081

Result

Threat name:

Aurotun Stealer, HijackLoader

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1740624

Signature

Connects to many ports of the same IP (likely port scanning)

Drops PE files to the user root directory

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has nameless sections

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes / dynamic malware analysis system (Installed program check)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Aurotun Stealer

Yara detected HijackLoader

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

86%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/267cebc956e7b800f51cfdb6f5413d09

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081/

Verdict:

Malicious

Threat:

Trojan.Win32.Penguish

Link:

https://tip.neiki.dev/file/f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-07-17 19:37:55 UTC

File Type:

PE (Exe)

AV detection:

9 of 36 (25.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=65ka34ccwvwlewypscyxevnropm6a6frxq57olknpjdwc5hpscaq._file

Verdict:

malicious

Label(s):

ghostpulse

AurotunStealer

10cd6b68b312a4c66967da95c7c3f98ab2c4f5ecc77eb2b6096759118f6cc4e3

AurotunStealer

526acaf0b2536d05312c999ff4beb5bb2f2bcbfda4bf48fca2afd00ad4391b16

AurotunStealer

695141d7a2ad5ab74c3b10a5a70d5d9d279876cfa58e0a19bbfd0ca9b61fc005

AurotunStealer

6c1d83eaf51888518eaa5a7f6e2b5138d8f15bed99e2f581011be3223c48d3e3

AurotunStealer

944ef2c62506efbcbd27d579ff3ff1353dfb2258cfcafd4813d05c4e51ebbf2b

AurotunStealer

a5e0756405dea5b805018097497b69a945289cda1c57f1577f1da2706c7b52bb

AurotunStealer

c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f

AurotunStealer

caf2caec518bd900737d800e37f7c8548bc16712d3990edaca3aca176729e433

AurotunStealer

deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990

AurotunStealer

error

AurotunStealer

+ 338 additional samples on MalwareBazaar

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:aurotun family:hijackloader campaign:checks discovery loader stealer

Link:

https://tria.ge/reports/250720-1jh7nadl4v/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Aurotun

Aurotun family

Detects Aurotun stealer

Detects HijackLoader (aka IDAT Loader)

HijackLoader

Hijackloader family

Malware Config

C2 Extraction:

85.208.84.21:23675

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b3ad7a78-617b-408b-b15d-d7c6d99b5812

Unpacked files

SH256 hash:

f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081

MD5 hash:

267cebc956e7b800f51cfdb6f5413d09

SHA1 hash:

c052f4c67e155e5d17f9658ba87d3e2cc1137b7f

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

98a1ef17c91f606d44759b8c4d36fafff58edc6796a4989ffc03400a1705501c

MD5 hash:

3e638ba4f8015f3b6bc4d86149a7a858

SHA1 hash:

0b9b880e14162dd6c9233a9bb54da9a8f00676d2

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

07b70973de31b88515b4c7e1d13cf4c103449f90e4f431ab8cd6174a08d95552

MD5 hash:

e3e3e66e3f9c02ab7386e9f14e2eb6fb

SHA1 hash:

0c2c82aea7ec20f37ada3e96099c47427326767c

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

9e259e17d06e5ee01ffe1fc54e2c2b16493c08834310a4ce00794215e2ebfc13

MD5 hash:

f4879f091b8325dbaf6b885c041afca5

SHA1 hash:

208afa5883519dd732156fe0560fe22bffd525dd

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

00da479ca45017d16b6e5e7d621cdc2a9856b5711762d5eac7fcd6f1ae0760a9

MD5 hash:

d50375fcd841691ec9303946ad6b37ce

SHA1 hash:

22846ad0041f44ea90eacdcb3203ae552cc91066

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

c7e52f15cfbc07d29c7f795e9ec891dfb092c4e7ec44b2f7bbd49362c4dd1e90

MD5 hash:

d141c245475673b1a39fef466862b8c8

SHA1 hash:

26c44dd79ac90a5b471aacf4e88a91003f6f515f

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

c81f29c2766500499279ae5eb92a7073060719ea51fc61c29d2843637ab71b8f

MD5 hash:

9dbb95cd0e3ad01df65d3230abe9c5ee

SHA1 hash:

3bed488d37a4580deb21364e567f84ad9da4c9d7

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

cf5259c750511e287700c7a464c3a394e90456222899d64ea131bd84af32c130

MD5 hash:

f5f18c58e512329c41f0056b9a1b018b

SHA1 hash:

56a317c25ab4d6ce3ec99189c1683b16384ced51

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

99f53fb3f8e2e203b159214f78fc6b883b6dbc9ed54ef70a2946d30a57e0f71b

MD5 hash:

3f32925238f193e3d54b48af8f9597ec

SHA1 hash:

770bd9770abe03ef657aff1b979bc4129439732a

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

2e516f09829db4d9680e416179c97c5e3952747368e9b3601497d73ec33a5a59

MD5 hash:

aea6f6b3f18e49438e3d2819b4be9873

SHA1 hash:

867f92a9cdb48095a2d9325f079b8b8e3071442e

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

aab8d43f268519542661d9b8a6741f312b75415bb22b28b4e69b4ae524351eba

MD5 hash:

26d6bb7e926fe18ced11f9d3086700b2

SHA1 hash:

8b4335b688a7b478728fe0714a3c0f0b15f5762e

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

53e054ac1ed714102c4748f362fce6a1c0fb694fa4cd23b73036ce4d12a9f03f

MD5 hash:

2760c3adc05950cf0a565a53e6e2da47

SHA1 hash:

a482fe0f68c837551271a1bdc652e007cac1d0b5

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

b358db8c3ddf39405f3f25c57663061994984ad3f6df0b4d4dfd9801b91c16ff

MD5 hash:

fd727993b22b012c5b270826b251a1e5

SHA1 hash:

a9a472aa8a7da9ec076f7d8e3c91abedd262c39b

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

99f214311478f12737b62a2ecf85170937d834463f973eaa78a0f84364e2db4d

MD5 hash:

57b6c99558da20783ee94e359df62dad

SHA1 hash:

ae0561dacbdadaf1af59dfc5c091441d1ac6dafe

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

c27b4ef2b511075655aad10267ce4dab2c14003ea3c056fb9f7c483a2f57eeb8

MD5 hash:

e877611f1791feae573ecd5ab9b99451

SHA1 hash:

e877d2a3baec88c1a316d57ed3c10920f44792a2

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

978f92e09a52ea1ff6ba75010a85b7610117c849fad4ed148ec9c2b5113496d8

MD5 hash:

86fc590ef19454be306afe179a6d4e1b

SHA1 hash:

b3c78624879bacde6309586080a4d5310f34eeab

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

0823b2bf3fcc268f31281d520a29e8c0be43df4b2414c3023657f5257a9a103e

MD5 hash:

ebf678ed606696584c9252c051690e22

SHA1 hash:

5bf8a4854c17c75f6ae170ad7e6232ae8296d129

Detections:

win_samsam_auto

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

Parent samples :

2e8ac3980feb2ed56f39fac3763eed0fba77740a7b5cd74bccd8b7d59223c79d
64e2811f4c55a0b962e31c3fd01aa653ff5a55d56146ff2f4b6fbef6236c46a4
78ed91aa3f80105bc099ac45eb8c5d50536aeeab5442a81d80aedfa90e42988d
e68aaae515c5a9209fad7b4217f534de39b36ec66aff13c900c6c729e14dd31f
58a5e3bb70bcb50147587807794bcee8ee3c7e5c67a630b092e7899d2a50c83b
584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f
ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f
9e05baee59cd27a85f08cf2fa678f54c3bb639f29d4521bfa0319bf174c04dba
6ffd4fb10bc191d0a3b5b47bec951397628f2dad1f5defce506c753c90c0f296
a7c5e1f4789b6b066c8030a3966786c99682371751c255e4e77d4b5a485237ae
46091fc17ded829d91a0563354ca16ff416f6b92912ad7ddd39ff326d787299b
f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081
f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca
516523a72a445b175b620ee3ec70e0be6d7ddd9e217c22867527a3e17b7bb8b2
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
772b547b8e01d86b2d4a32e308a42388f298ca4faedb0d6a3b78fb0d4dce8826
cabf319baf5f3c955f6e251d101bdc61a1d7c3ced40e3f313c7d43f8571c00dd
9de72bbf7efdb9b528351ec7ad706d6197e860a78b2846adf700cbc10d0760fa

SH256 hash:

a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0

MD5 hash:

cabb58bb5694f8b8269a73172c85b717

SHA1 hash:

9ed583c56385fed8e5e0757ddb2fdf025f96c807

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

SH256 hash:

68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe

MD5 hash:

d4dae7149d6e4dab65ac554e55868e3b

SHA1 hash:

b3bea0a0a1f0a6f251bcf6a730a97acc933f269a

Link:

https://www.unpac.me/results/17c2af45-f375-45d5-bb5e-f40fd6903f20/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/16012/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	advapi32.dll::AllocateAndInitializeSid advapi32.dll::ConvertSidToStringSidW advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW advapi32.dll::EqualSid advapi32.dll::FreeSid
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges advapi32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken advapi32.dll::OpenThreadToken kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetDriveTypeW kernel32.dll::GetVolumeInformationW kernel32.dll::GetSystemInfo
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetWindowsDirectoryW kernel32.dll::GetSystemDirectoryW kernel32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample