{
	"id": "90333309-2cbd-4515-b11a-a445f9a43f42",
	"created_at": "2026-04-06T00:16:24.668896Z",
	"updated_at": "2026-04-10T03:22:01.247688Z",
	"deleted_at": null,
	"sha1_hash": "7be22a36ce1aed858a68dc7e370de569d4c3ac02",
	"title": "in2al5dp3in4er Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49196,
	"plain_text": "in2al5dp3in4er Loader\r\nPublished: 2023-04-23 · Archived: 2026-04-05 15:54:25 UTC\r\nAurora Stealer\r\nThe extracted 2nd stage is the golang stealer sold as \"Aurora Stealer\" malpedia.\r\n21545028cac12fc9e8692a71247040718e6d640ee6117d1b19f4521f886586be UnpacMe\r\nPacker ID\r\nWe can make a simple yara rule based on the following\r\nriid for CreateDXGIFactory call\r\nEC 66 71 7B C7 21 AE 44 B2 1A C9 AE 32 1A E3 69\r\nimports\r\nCreateDXGIFactory from DXGI.dll\r\nchecks\r\ncmp eax, 887A0002h\r\n3D 02 00 7A 88\r\ngfx whitelist ids\r\n{29 9? 01 00}\r\nRule\r\nimport \"pe\"\r\nimport \"math\"\r\nrule riid_hunt {\r\n strings:\r\n $riid = { EC 66 71 7B C7 21 AE 44 B2 1A C9 AE 32 1A E3 69 }\r\n $embarcadero = \"This program must be run under Win32\" ascii\r\n $import = \"CreateDXGIFactory\" ascii wide\r\nhttps://research.openanalysis.net/in2al5dp3in4er/loader/analysis/sandbox/invalid%20printer/2023/04/23/in2al5dp3in4er.html\r\nPage 1 of 2\n\ncondition:\r\n all of them and\r\n for any i in (0..(pe.number_of_sections)-1) :\r\n (\r\n pe.sections[i].name == \".data\" and\r\n math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) \u003e= 7\r\n )\r\n}\r\n48 8D 05 9A 94 16 00 lea rax, blob\r\n48 B9 EE EE DE DD CD CC BB 0A mov rcx, 0ABBCCCDDDDEEEEEh\r\n48 BA 55 55 45 44 34 23 12 00 mov rdx, 12233444455555h\r\n49 B8 CC CC B3 BB A2 1A 00 00 mov r8, 1AA2BBB3CCCCh\r\n4C 63 4D E0 movsxd r9, [rbp+var_20]\r\n48 8D 05 D1 93 16 00 lea rax, blob\r\n48 B9 81 FD A9 98 F6 50 00 00 mov rcx, 50F698A9FD81h\r\n48 BA 1B 06 AC 5D DE F8 ED 00 mov rdx, 0EDF8DE5DAC061Bh\r\n49 B8 04 68 7C AA 99 9D 0B 00 mov r8, 0B9D99AA7C6804h\r\n4C 63 4D E8 movsxd r9, [rbp+var_18]\r\nSource: https://research.openanalysis.net/in2al5dp3in4er/loader/analysis/sandbox/invalid%20printer/2023/04/23/in2al5dp3in4er.html\r\nhttps://research.openanalysis.net/in2al5dp3in4er/loader/analysis/sandbox/invalid%20printer/2023/04/23/in2al5dp3in4er.html\r\nPage 2 of 2\n\n} 48 8D 05 9A 94 16 00  lea rax, blob\n48 B9 EE EE DE DD CD CC BB 0A mov rcx, 0ABBCCCDDDDEEEEEh\n48 BA 55 55 45 44 34 23 12 00 mov rdx, 12233444455555h\n49 B8 CC CC B3 BB A2 1A 00 00 mov r8, 1AA2BBB3CCCCh\n4C 63 4D E0   movsxd r9, [rbp+var_20]\n48 8D 05 D1 93 16 00  lea rax, blob\n48 B9 81 FD A9 98 F6 50 00 00 mov rcx, 50F698A9FD81h\n48 BA 1B 06 AC 5D DE F8 ED 00 mov rdx, 0EDF8DE5DAC061Bh\n49 B8 04 68 7C AA 99 9D 0B 00 mov r8, 0B9D99AA7C6804h\n4C 63 4D E8   movsxd r9, [rbp+var_18]\nSource: https://research.openanalysis.net/in2al5dp3in4er/loader/analysis/sandbox/invalid%20printer/2023/04/23/in2al5dp3in4er.html     \n   Page 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.openanalysis.net/in2al5dp3in4er/loader/analysis/sandbox/invalid%20printer/2023/04/23/in2al5dp3in4er.html"
	],
	"report_names": [
		"in2al5dp3in4er.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434584,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7be22a36ce1aed858a68dc7e370de569d4c3ac02.pdf",
		"text": "https://archive.orkl.eu/7be22a36ce1aed858a68dc7e370de569d4c3ac02.txt",
		"img": "https://archive.orkl.eu/7be22a36ce1aed858a68dc7e370de569d4c3ac02.jpg"
	}
}