Aura Stealer #1 36bytesmademelosemymind
Published: 2025-10-22 · Archived: 2026-04-06 01:06:56 UTC
Hello it’s me again
today i gonna share my thought process and experience with aura stealer
i was looking for some new malware with either a virtual machine or some neat obfuscation. lookin through some
forums and news i saw a stealer named Aura Stealer mentioned couple of times. it does not seem to be a big
stealer yet but lets see how lumma doing in the next couple of months with all the law enforcement on their asses.
sooo i decided to focus on that one i got the hash from this blog https://foresiet.com/blog/aura-stealer-malware-analysis/
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 1 of 15

the random generated icon looks kinda cool tho :3
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 2 of 15

https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 3 of 15

after seeing this i was a bit overwhelmed. to make sure this was the real aurastealer and not some packer/crypter i
ran it and dumped it with pd32 https://github.com/glmcdona/Process-Dump
after dumping we can see that the file went from 2.40MB to 408B which gave me hope
the binary is still obfuscated but much less. so after traveling some functions and examining the startin route i
found this.
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 4 of 15

here we can see the return a1 this means that a1 is most likely important ;3 so lets look into that.
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 5 of 15

RunImage sounds good lets dig deeper.
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 6 of 15

https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 7 of 15

here we can see some xoring from some byte array going on nice. That is a good indicator ^-^
i assume this is decompression because of the size calculation and would fit into typical malware thingis.
size_compressed = 285851 - dword_1349000
first i tried decrypt_xor -> decompress but that did not work o_O sooo lets find out why:
if we look into our first file (right picture) we can find the same unpacking mechanism like in our dumped file
(left picture) just with another key and another byte array.
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 8 of 15

lets write some python script to extract that.
^ for the pattern
import sys
import pefile
import struct
import os
PATTERNS = [
 {
 'name': 'xor_decrypt_loop',
 'asm': [
 'movzx eax, byte ptr [eax + KEY_ADDR]',
 'xor al, byte ptr [edx + BLOB_ADDR]'
 ],
 'sig': '0F B6 80 ?? ?? ?? ?? 32 82 ?? ?? ?? ??',
 'key_offset': 3,
 'blob_offset': 9,
 'size_check': {
 'asm': 'cmp edx, SIZE',
 'sig': '81 FA ?? ?? ?? ??',
 'value_offset': 2,
 'search_range': 0x100
 }
 }
]
def parse_sig(sig):
 parts = sig.split()
 pat = []
 for p in parts:
 if p == '??':
 pat.append(None)
 else:
 pat.append(int(p, 16))
 return pat
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 9 of 15

def find_pat(data, sig):
 pat = parse_sig(sig)
 for i in range(len(data) - len(pat)):
 match = True
 for j, b in enumerate(pat):
 if b is not None and data[i + j] != b:
 match = False
 break
 if match:
 return i
 return -1
def find_addrs(exe_path):
 pe = pefile.PE(exe_path)
 
 for sec in pe.sections:
 if b'.text' not in sec.Name:
 continue
 
 data = sec.get_data()
 
 for pat in PATTERNS:
 off = find_pat(data, pat['sig'])
 if off == -1:
 continue
 
 key_start = off + pat['key_offset']
 key_va = struct.unpack('<I', data[key_start:key_start + 4])[0]
 
 blob_start = off + pat['blob_offset']
 blob_va = struct.unpack('<I', data[blob_start:blob_start + 4])[0]
 
 sz_check = pat['size_check']
 search_end = off + sz_check['search_range']
 sz_off = find_pat(data[off:search_end], sz_check['sig'])
 if sz_off == -1:
 continue
 
 sz_start = off + sz_off + sz_check['value_offset']
 sz = struct.unpack('<I', data[sz_start:sz_start + 4])[0]
 
 return key_va, blob_va, sz
 
 return None, None, None
def decrypt_exe(exe_path):
 pe = pefile.PE(exe_path)
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 10 of 15

key_va, blob_va, sz = find_addrs(exe_path)
 
 if not all([key_va, blob_va, sz]):
 print("Pattern not found")
 return False
 
 print(f"Key address: 0x{key_va:08X}")
 print(f"Blob address: 0x{blob_va:08X}")
 print(f"Size: 0x{sz:X} ({sz} bytes)")
 
 key_rva = key_va - pe.OPTIONAL_HEADER.ImageBase
 blob_rva = blob_va - pe.OPTIONAL_HEADER.ImageBase
 
 key = pe.get_data(key_rva, 32)
 enc = pe.get_data(blob_rva, sz)
 
 if not key or not enc:
 print("Failed to extract data")
 return False
 
 print(f"Key: {' '.join(f'{b:02X}' for b in key[:32])}")
 print(f"First 32 bytes of encrypted data: {' '.join(f'{b:02X}' for b in enc[:32])}")
 
 dec = bytearray(sz)
 for i in range(sz):
 dec[i] = enc[i] ^ key[i & 0x1F]
 
 off = 0x4F4
 if off < len(dec) and dec[off:off + 2] == b'MZ':
 dec = dec[off:]
 
 out = os.path.join(os.path.expanduser("~"), "Desktop", "decrypted.bin")
 with open(out, "wb") as f:
 f.write(dec)
 
 print(f"Wrote {len(dec)} bytes to {out}")
 return True
def main():
 if len(sys.argv) != 2:
 sys.exit(1)
 
 decrypt_exe(sys.argv[1])
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 11 of 15

if __name__ == "__main__":
 main()
now we can compare the clean decrypted.bin with our initial dumped file
yeah this confirms the problem we had before. the dumped file already is decrypted so we just need to use lzma on
that. the problem we had before was that we basically encrypted it again kek.
*i wanted to write a full unpacker but for some reason the lzma was corrupted and 36 bytes were different - after
12h i could not figure out why. if you do pls tell me, this shit keeps me up at night ty ;3 that means we can just
dump the left buffer and extract at the starting lzma header offset and then decompress it.
import ida_bytes
import os
addr = 0x1349078
size = 0x45C9B - 0x48
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 12 of 15

data = ida_bytes.get_bytes(addr, size)
if data:
 output_path = os.path.join(os.path.expanduser("~"), "Desktop", "dump.bin")
 with open(output_path, "wb") as f:
 f.write(data)
 print("Wrote %d bytes to %s" % (len(data), output_path))
else:
 print("Failed to read data at 0x%X" % addr)
soooOoo lets open dump in ida and look at our new stage. first i wanted to make sure that this is the real stealer
and looked for some indicators.
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 13 of 15

https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 14 of 15

looking at the strings we can see some chromium browser paths which should be enough. I wonder if APPBYKEY
has anything to do with Chrome’s Appbound encryption & decryption O_o
the next blogs about aura will cover the obfuscation and config decrypter.
SHA-256: bac52ffc8072893ff26cdbf1df1ecbcbb1762ded80249d3c9d420f62ed0dc202
thanks for reading!
greetz to ma homies
eversince
deluks
and c0ner0ne
you are cool and badass >:3
Source: https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
https://blog.xyris.mov/posts/aura-stealer-%231-36bytesmademelosemymind/
Page 15 of 15