← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Defeating AuraStealer: Practical Deobfuscation Workflows for Modern Infostealers
WHITE celestre 2025-12-22 Modified: 2025-12-22
45
IOCs
MEDIUM VOLUME
AuraStealer is a rapidly growing infostealer-as-a-service, actively promoted across multiple underground forums since July 2025. The stealer is developed in C++ with a build size of ~500-700 kB and targets Windows systems from Windows 7 to Windows 11. It is marketed as a supposedly highly efficient, low-footprint stealer capable of stealing data from more than 110 browsers, 70 applications (including wallets and 2FA tools), as well as over 250 browser extensions, with the ability to further expand its collection scope through a customizable configuration. Contrary to the advertised claims, AuraStealer still contains multiple flaws that undermine its stealth and evasion capabilities, offering clear detection opportunities for defenders.
aurastealer
Indicators of Compromise (45)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 c45ab1c7a3bd01d61fe71fcec6e42f18 MD5 of f7d0f099d042de83aa2d0a13100640bea49d28c77c2eb3087c0fb43ec0cd83d7 2025-12-22
FileHash-MD5 d6d679f39bf6cc64513a93f37535c881 MD5 of fd3875225c1ab60e6dc52fc8f94b4d389624592b7e7b57ee86e54cebe5d3eb6a 2025-12-22
FileHash-MD5 eeb93fee7f1b8f7372140418d3b3a018 MD5 of 01e67139b59eed0fe1fcb4c66a9e88ad20dd8b55648c077aec7fa2ae3431ea5f 2025-12-22
FileHash-SHA1 83276f4947ae50c87d41efc98392a88dd51f9a26 SHA1 of 01e67139b59eed0fe1fcb4c66a9e88ad20dd8b55648c077aec7fa2ae3431ea5f 2025-12-22
FileHash-SHA1 8c53969fb9fc7af4cc517eeb2bef4341e87860e7 SHA1 of fd3875225c1ab60e6dc52fc8f94b4d389624592b7e7b57ee86e54cebe5d3eb6a 2025-12-22
FileHash-SHA1 af4fcc2917212775afd37a2f31e48a7871d1e78e SHA1 of f7d0f099d042de83aa2d0a13100640bea49d28c77c2eb3087c0fb43ec0cd83d7 2025-12-22
FileHash-SHA256 01e67139b59eed0fe1fcb4c66a9e88ad20dd8b55648c077aec7fa2ae3431ea5f 2025-12-22
FileHash-SHA256 0223e39d9c26f065fabb1bcb8a1a03fe439bb18b8d14816646d8d236a6fd46a3 2025-12-22
FileHash-SHA256 0f691762da02abbd94046381ecedfd8b31ccbb835ded6049e9d6cd2afdd3f551 2025-12-22
FileHash-SHA256 158369ad66ea4baceee19051425c21f657ffc1b3483ea812323816b612f324bd 2025-12-22
FileHash-SHA256 9a46c8d884f4c59701d3af7bead1e099e3ddeb1e2b75f98756cc5403d88bd370 2025-12-22
FileHash-SHA256 d19274a14b905679dbd43ffb374ca0e11f9dc66fdb9e17236829a9a56f3e7d31 2025-12-22
FileHash-SHA256 ec7ba08b1655963d6c9f7d996f3559c58893769a2c803da1f99610a0aaa1224a 2025-12-22
FileHash-SHA256 f0f7ae1fc2d569b8b9267d2ec81f7e539db4beaf275bca41962c27ecfa5361bf 2025-12-22
FileHash-SHA256 f6e7341ab412ef16076901ea5835f61fbc3e94d0b9f2813355576bad57376f29 2025-12-22
FileHash-SHA256 f7d0f099d042de83aa2d0a13100640bea49d28c77c2eb3087c0fb43ec0cd83d7 2025-12-22
FileHash-SHA256 f816558972f62d206757bad4a95ee75290615f520f3b24d814ffbcdfc6998c6c 2025-12-22
FileHash-SHA256 fd3875225c1ab60e6dc52fc8f94b4d389624592b7e7b57ee86e54cebe5d3eb6a 2025-12-22
domain apachesrv.cfd 2025-12-22
domain argametop.cfd 2025-12-22
domain armydevice.shop 2025-12-22
domain browsertools.shop 2025-12-22
domain calibrated.cfd 2025-12-22
domain chicagocigars.shop 2025-12-22
domain clocktok.cfd 2025-12-22
domain connupdate.cfd 2025-12-22
domain coralpoint.cfd 2025-12-22
domain cybertool.shop 2025-12-22
domain gamedb.shop 2025-12-22
domain glossmagazine.shop 2025-12-22
domain goldenring.cfd 2025-12-22
domain greenapi.cfd 2025-12-22
domain magicupdate.cfd 2025-12-22
domain mscloud.cfd 2025-12-22
domain mushub.cfd 2025-12-22
domain opencamping.shop 2025-12-22
domain privateconnect.cfd 2025-12-22
domain searchagent.cfd 2025-12-22
domain searchservice.cfd 2025-12-22
domain softytoys.shop 2025-12-22
domain stmservice.cfd 2025-12-22
domain sysrequest.cfd 2025-12-22
domain systemupdate.cfd 2025-12-22
domain unknowntool.shop 2025-12-22
domain updservice.cfd 2025-12-22
References (1)
↗ https://www.gendigital.com/blog/insights/research/defeating-aurastealer-obfuscation