MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AurotunStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f
SHA3-384 hash: c9dbba57a12d528e77beff3f7007f8693cafde66a58de70a8ecef38c9858ae218dffb26ebe0874826b599dc5df263c93
SHA1 hash: e52be4cc6163f2a4886cd4386e169b2d0ee18d87
MD5 hash: 916a92fecce7add34f036ded4aa56f27
humanhash: juliet-indigo-purple-fifteen
File name:vervet.exe
Download: download sample
Signature AurotunStealer
Create hunting rule
File size:16'338'146 bytes
First seen:2025-06-28 01:49:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7e2fd259780271687ffca462b9e69b7 (6 x AsyncRAT, 6 x LummaStealer, 6 x AurotunStealer)
ssdeep 393216:UpheUVEJmFbXNEKuBplQHAR2MardbL6Ser7M58MLo7VAa5:UptRbXKKuBplQG2fZbL6SaM5eR5
Threatray 1'135 similar samples on MalwareBazaar
TLSH T111F63331E5904126E6F142B7FD2891307E39A7241B618D6BE6D8DD4E3AFC88127FB217
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter kafan_shengui
Tags:AurotunStealer exe remcos


Avatar
kafan_shengui
C&C:194.165.16.141

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.119.47.218:45654 https://threatfox.abuse.ch/ioc/1550220/

Intelligence

File Origin
# of uploads :
1
# of downloads :
568
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vervet.exe
Verdict:
Malicious activity
Analysis date:
2025-06-28 01:48:13 UTC
Tags:
auto generic aurotun stealer auto-startup
Link:
https://app.any.run/tasks/c98e519f-84b2-4143-b0f8-c9fae5912ecb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/11415/
Detection(s):
SecuriteInfo.com.Heur.20230427052042801674698.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685f4a2e37c3436779469b10
Tags:
vmdetect emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Сreating synchronization primitives
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm anti-vm base64 blackhole CAB crypto entropy evasive expand expired-cert fingerprint fingerprint installer lolbin microsoft_visual_cc overlay overlay packed packed packed packer_detected remote runonce tracker
Link:
https://www.filescan.io/uploads/685f4a2845e80b29f8a2be05/reports/335b8534-ad82-4d7a-970b-d59e0d97fad3/overview
Verdict:
Suspicious
Labled as:
Generik.EGESTCI trojan
Link:
https://www.hybrid-analysis.com/sample/ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7775cdd0-86b7-4d35-95b1-963d12ab847e
Score:
53%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-27 22:02:02 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=75v2ise4f7uu4xwutyv3wqi2xo3go73twvw7orx7wnwgydvgxapq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
18c96dbde931aa37ed3e519ce700da01c5d47cb5e1b50116e6d6ba1109d22566
AurotunStealer
394b7bdb5d0f6d9b42b22175e11b04251d1ebdc3e7bdcd6dfa90ca7d8c458397
AurotunStealer
6607d80dd10dfb2832eb14c78fd7402e9c63f6d3d1ac82b113f099d1d6cc80fb
AurotunStealer
a3a0b78d605313910e3ec9ba9c0c90bc454977f08354185973c0475afb88c842
AurotunStealer
cf1f146ffa6951e45c24eada8fcef9fae06e8c7613ea0a5438d7bb6b868cadc9
AurotunStealer
e3716110ea1af3d3c25e6aca80b9e899236cf3c03ab3da4fa6271f9580d7cb61
AurotunStealer
error
AurotunStealer
ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f
AurotunStealer
+ 1'125 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:aurotun family:hijackloader discovery loader stealer
Link:
https://tria.ge/reports/250628-b8xnxawyev/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Aurotun
Aurotun family
Detects Aurotun stealer
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c72ecc58-2cba-41c0-9b8a-5bd4af9fd5c5
Unpacked files
SH256 hash:
ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f
MD5 hash:
916a92fecce7add34f036ded4aa56f27
SHA1 hash:
e52be4cc6163f2a4886cd4386e169b2d0ee18d87
Link:
https://www.unpac.me/results/b12b744f-4a2b-4c36-b5e5-2254cfffd702/
SH256 hash:
eb56bdf4492b1789b8e7a30c70c908d8cc7d153b53edbf0c064c594df0cc0849
MD5 hash:
cba91f277b745d315bb86689b18b9b78
SHA1 hash:
33a52b542cd4a881e227cd34d6d2678891bef6e4
Link:
https://www.unpac.me/results/b12b744f-4a2b-4c36-b5e5-2254cfffd702/
SH256 hash:
255a31230ab6ba26427cc474d67751374bd094d1a5c719eb6310973d4cbba5bc
MD5 hash:
4cdd97d6673fd4f5f602646bf9829f4b
SHA1 hash:
3c69560267e6c49733be49269767d849270c7c91
Link:
https://www.unpac.me/results/b12b744f-4a2b-4c36-b5e5-2254cfffd702/
SH256 hash:
1b0060b4bcc72c5a5a99eb2b2a4a0b6c8b57dfdeec37790f7b604a9f8b9c4543
MD5 hash:
b88cebd26e16eb5a6c4e3fb23260262b
SHA1 hash:
48a254794f8d923534fc5e286fdf542a53fa178c
Link:
https://www.unpac.me/results/b12b744f-4a2b-4c36-b5e5-2254cfffd702/
SH256 hash:
ee36e8fb1e9cfc71ed25b7111170f48774f35b8cfb78121455cf7ae808951c3a
MD5 hash:
8764c70c4872a232a71e216e77c2e476
SHA1 hash:
b2c74d4871c73dd3ce9c940e79b0d0c227414b39
Link:
https://www.unpac.me/results/b12b744f-4a2b-4c36-b5e5-2254cfffd702/
SH256 hash:
c6bb5d4f853e5d6ef86deb2656346324c7253297720b9b3fcc22790783532590
MD5 hash:
7463755ab64e76b7cc25678bcc441571
SHA1 hash:
3f21323c4f15ac5f2d57462a9383b65f6daa8d89
Link:
https://www.unpac.me/results/b12b744f-4a2b-4c36-b5e5-2254cfffd702/
SH256 hash:
f817b410c73c093176bd79821a99be9fbb791b2aeb651e62bd6fc7e6a680ccf1
MD5 hash:
538e88dd8a0469996ab7e3521db229d5
SHA1 hash:
c8d045eeb15dd0d8354818967dc81a60756e0cd4
Link:
https://www.unpac.me/results/b12b744f-4a2b-4c36-b5e5-2254cfffd702/
SH256 hash:
fb44a831e929567fdb4f581a34c39e5026e9a8411ed0bcb7314a5af936c93ff2
MD5 hash:
587eb6a5d9f1d7519ad13fcf168aa655
SHA1 hash:
becf8fd070e019ae5c0e24bb69f5d9964cab41b4
Link:
https://www.unpac.me/results/b12b744f-4a2b-4c36-b5e5-2254cfffd702/
SH256 hash:
0823b2bf3fcc268f31281d520a29e8c0be43df4b2414c3023657f5257a9a103e
MD5 hash:
ebf678ed606696584c9252c051690e22
SHA1 hash:
5bf8a4854c17c75f6ae170ad7e6232ae8296d129
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/b12b744f-4a2b-4c36-b5e5-2254cfffd702/
Parent samples :
2e8ac3980feb2ed56f39fac3763eed0fba77740a7b5cd74bccd8b7d59223c79d
64e2811f4c55a0b962e31c3fd01aa653ff5a55d56146ff2f4b6fbef6236c46a4
78ed91aa3f80105bc099ac45eb8c5d50536aeeab5442a81d80aedfa90e42988d
e68aaae515c5a9209fad7b4217f534de39b36ec66aff13c900c6c729e14dd31f
58a5e3bb70bcb50147587807794bcee8ee3c7e5c67a630b092e7899d2a50c83b
584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f
ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f
9e05baee59cd27a85f08cf2fa678f54c3bb639f29d4521bfa0319bf174c04dba
6ffd4fb10bc191d0a3b5b47bec951397628f2dad1f5defce506c753c90c0f296
a7c5e1f4789b6b066c8030a3966786c99682371751c255e4e77d4b5a485237ae
46091fc17ded829d91a0563354ca16ff416f6b92912ad7ddd39ff326d787299b
f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081
f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca
516523a72a445b175b620ee3ec70e0be6d7ddd9e217c22867527a3e17b7bb8b2
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
772b547b8e01d86b2d4a32e308a42388f298ca4faedb0d6a3b78fb0d4dce8826
cabf319baf5f3c955f6e251d101bdc61a1d7c3ced40e3f313c7d43f8571c00dd
9de72bbf7efdb9b528351ec7ad706d6197e860a78b2846adf700cbc10d0760fa
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/b12b744f-4a2b-4c36-b5e5-2254cfffd702/
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/b12b744f-4a2b-4c36-b5e5-2254cfffd702/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff6ba4489c2f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/11415/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
ADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::SetEntriesInAclA
ADVAPI32.dll::SetNamedSecurityInfoW
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
ADVAPI32.dll::SetSecurityDescriptorGroup
ADVAPI32.dll::SetSecurityDescriptorOwner
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileMappingW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt FilesADVAPI32.dll::DecryptFileW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptGetHashParam
ADVAPI32.dll::CryptHashData
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::QueryServiceStatus
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments