SYMBOLCOMMON_NAMEaka. SYNONYMS
win.aurastealer (Back to overview)

Aura Stealer

aka: AURA Stealer, AURASTEAL
VTCollection    

In July 2025, threat actor AuraCorp began advertising Aura Stealer as a Malware-as-a-Service (MaaS) program with multiple subscription tiers on underground forums. The information stealer targets credentials from over 110 browsers, 70 applications, and 250+ browser extensions, including cryptocurrency wallets and 2FA tools, while using AES-256 encryption for C2 communications. Notable features include seamless Chromium cookie harvesting without process termination, server-side App-Bound data decryption, and a built-in payload loader with custom morphing for detection evasion.

References
2026-05-18Gen Threat LabsGen Threat Labs
X.com - Gen Threat Labs - AuraStealer (version 1.8.0)
Aura Stealer
2026-02-27IntrinsecGilbert Kallenborn
Analysis of AuraStealer, an emerging infostealer
Aura Stealer
2025-12-18Gen Digital IncVojtěch Krejsa
Gen Blogs | Defeating AuraStealer: Practical Deobfuscation Workflows for Modern Infostealers
Aura Stealer
2025-10-2901xyris01xyris
Aura Stealer #2 beatin the obfuscation
Aura Stealer
2025-10-2201xyris01xyris
Aura Stealer #1 36bytesmademelosemymind
Aura Stealer
2025-07-29ForesietForesiet
AURA Stealer: A Crude Clone of LummaC2 – Technical Analysis and Threat Breakdown
Aura Stealer
Yara Rules
[TLP:WHITE] win_aurastealer_auto (20260504 | Detects win.aurastealer.)
rule win_aurastealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.aurastealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurastealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb6c8 e8???????? 8a0c24 30f9 }
            // n = 4, score = 1600
            //   0fb6c8               | movzx               ecx, al
            //   e8????????           |                     
            //   8a0c24               | mov                 cl, byte ptr [esp]
            //   30f9                 | xor                 cl, bh

        $sequence_1 = { 0fb6c9 52 51 50 89fd }
            // n = 5, score = 1600
            //   0fb6c9               | movzx               ecx, cl
            //   52                   | push                edx
            //   51                   | push                ecx
            //   50                   | push                eax
            //   89fd                 | mov                 ebp, edi

        $sequence_2 = { 0fb6c8 e8???????? 88442409 8b4c2410 }
            // n = 4, score = 1600
            //   0fb6c8               | movzx               ecx, al
            //   e8????????           |                     
            //   88442409             | mov                 byte ptr [esp + 9], al
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]

        $sequence_3 = { 0fb6ca e8???????? 325c2401 30c3 }
            // n = 4, score = 1600
            //   0fb6ca               | movzx               ecx, dl
            //   e8????????           |                     
            //   325c2401             | xor                 bl, byte ptr [esp + 1]
            //   30c3                 | xor                 bl, al

        $sequence_4 = { 0fb6c8 e8???????? 88442408 0fb6c8 }
            // n = 4, score = 1600
            //   0fb6c8               | movzx               ecx, al
            //   e8????????           |                     
            //   88442408             | mov                 byte ptr [esp + 8], al
            //   0fb6c8               | movzx               ecx, al

        $sequence_5 = { 0fb6c8 e8???????? 88442407 89d8 }
            // n = 4, score = 1600
            //   0fb6c8               | movzx               ecx, al
            //   e8????????           |                     
            //   88442407             | mov                 byte ptr [esp + 7], al
            //   89d8                 | mov                 eax, ebx

        $sequence_6 = { 01de ff742408 55 56 e8???????? }
            // n = 5, score = 1600
            //   01de                 | add                 esi, ebx
            //   ff742408             | push                dword ptr [esp + 8]
            //   55                   | push                ebp
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_7 = { 01de eb41 c746140f000000 89d8 83c80f 83f817 bd16000000 }
            // n = 7, score = 1600
            //   01de                 | add                 esi, ebx
            //   eb41                 | jmp                 0x43
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   89d8                 | mov                 eax, ebx
            //   83c80f               | or                  eax, 0xf
            //   83f817               | cmp                 eax, 0x17
            //   bd16000000           | mov                 ebp, 0x16

        $sequence_8 = { 0002 8a0c0f 83c40c 020e }
            // n = 4, score = 100
            //   0002                 | add                 byte ptr [edx], al
            //   8a0c0f               | mov                 cl, byte ptr [edi + ecx]
            //   83c40c               | add                 esp, 0xc
            //   020e                 | add                 cl, byte ptr [esi]

        $sequence_9 = { 01442420 13d1 c1eb0b 0fa4c115 }
            // n = 4, score = 100
            //   01442420             | add                 dword ptr [esp + 0x20], eax
            //   13d1                 | adc                 edx, ecx
            //   c1eb0b               | shr                 ebx, 0xb
            //   0fa4c115             | shld                ecx, eax, 0x15

        $sequence_10 = { 01442428 8bf1 13d9 33d2 }
            // n = 4, score = 100
            //   01442428             | add                 dword ptr [esp + 0x28], eax
            //   8bf1                 | mov                 esi, ecx
            //   13d9                 | adc                 ebx, ecx
            //   33d2                 | xor                 edx, edx

        $sequence_11 = { 014c241c 13f0 33d2 89742420 }
            // n = 4, score = 100
            //   014c241c             | add                 dword ptr [esp + 0x1c], ecx
            //   13f0                 | adc                 esi, eax
            //   33d2                 | xor                 edx, edx
            //   89742420             | mov                 dword ptr [esp + 0x20], esi

        $sequence_12 = { 0144241c 8b7c2424 136c2414 33c0 }
            // n = 4, score = 100
            //   0144241c             | add                 dword ptr [esp + 0x1c], eax
            //   8b7c2424             | mov                 edi, dword ptr [esp + 0x24]
            //   136c2414             | adc                 ebp, dword ptr [esp + 0x14]
            //   33c0                 | xor                 eax, eax

        $sequence_13 = { 0128 42 3bd7 72db }
            // n = 4, score = 100
            //   0128                 | add                 dword ptr [eax], ebp
            //   42                   | inc                 edx
            //   3bd7                 | cmp                 edx, edi
            //   72db                 | jb                  0xffffffdd

        $sequence_14 = { 012c18 42 3bd7 72dc }
            // n = 4, score = 100
            //   012c18               | add                 dword ptr [eax + ebx], ebp
            //   42                   | inc                 edx
            //   3bd7                 | cmp                 edx, edi
            //   72dc                 | jb                  0xffffffde

        $sequence_15 = { 014c2420 8be8 13f0 33ff }
            // n = 4, score = 100
            //   014c2420             | add                 dword ptr [esp + 0x20], ecx
            //   8be8                 | mov                 ebp, eax
            //   13f0                 | adc                 esi, eax
            //   33ff                 | xor                 edi, edi

    condition:
        7 of them and filesize < 1918976
}
Download all Yara Rules