aurora

Sharing

Copy URL

Twitter E-mail

General

Target

92d848bbad03abef1bebbe33ef8107d8.zip
Size

10.8MB
Sample

221215-vs48lach63
MD5

92d848bbad03abef1bebbe33ef8107d8
SHA1

3d0bc8cb91967f0e36e9200e02f6e9d1847caeed
SHA256

6ecff9d04bda4d4149f1a78486ede32e15a36b9d94fce5509467b3af1feede01
SHA512

52bceff40443773cd50569384f2c03fe54dec0b8396dcb1ca3c9b7698511823367926641796361093bb435a898e4f0552c1df8925f7560eb9b11afa2440d3700
SSDEEP

196608:wjy7NKFr2IAO2Wu8b3PgZlXD9Sd+FSVeZLZeWNklnk1av9WFt0OYQI8:wu7NKu9zsc1D8d+ccPeWUkQlE

Score

10^/10

Malware Config

Extracted

Family

aurora

79.137.206.138:8081

Targets

- Target
  
  VirtualBox-7.0.2-154219-Win/Focus.dll
- Size
  
  69KB
- MD5
  
  b2dc28e6f5c1a009e170ee757edfbbde
- SHA1
  
  eeb434c436f90d34f8afc5bbb2aed274c1fcab85
- SHA256
  
  a8c85834569b0e6415279ace2b081cd4ddecd0b5251f97ad9ee552b95b3eb913
- SHA512
  
  36d681b08a5c590f7f55433354a479dbeff7277ee629f129a9594bd3914dda793103138b68c27abb55a3935b9670d08e944dd42fa014b40d6201aa3160df706b
- SSDEEP
  
  1536:1BatzfxEtW3kG6T9ylchO/rbgtZeoGh6Kyjwji3hkj:jE0DT9ylchO/rEtK3EiNj
Score

1^/10
behavioral1 behavioral2
- Target
  
  VirtualBox-7.0.2-154219-Win/VirtualBox-7.0.2-154219-Win.exe
- Size
  
  677.9MB
- MD5
  
  670e50d1d17dce3d446919680dd657f0
- SHA1
  
  fdbba6ab2df85337f8fefec7da04323ba6e42107
- SHA256
  
  7f43dee28fdf815aca5367694540bcd514c2ad9c1a4c4bc645286403fffb4123
- SHA512
  
  ed31879ce1867b31b9f0868ff797ec92dfb5284381bada666636ff07eb9b4221f60a9fb549984d0b3272e619674031431c7498451ded735ad98de4db5a53e2ba
- SSDEEP
  
  3072:eahKyd2n31yS5LvfiP1yaX3KmC5wBCgBCwfjL1c1pcSsP1XBRWf9z:eahOcnHn9BF//1cUJU
Score

10^/10

persistence aurora spyware stealer
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  VirtualBox-7.0.2-154219-Win/cbutton.dll
- Size
  
  1.6MB
- MD5
  
  cb661895c58709fcc87ff2fcb92f7785
- SHA1
  
  fd142aef7d7c0c68d78047bcb14e8b2fec07d976
- SHA256
  
  d57a11a1f209a516a074e23a0c4510ba7dceda282400b98fc447d5698bea8963
- SHA512
  
  74c37a84183cc63182fa9f3e6e30e425afb5b7ad07fc3a73330e60b32ff5f56d0c6a74f4bd53c28fd1e55a851c4a8ca2d805972a9d667af2055f232b406b9f00
- SSDEEP
  
  24576:qHvkq0/jEZFD+RAQV24KTxW9FL2itGfnWut6x6PIk0QxjBEN4+TGgIBNnD:GO67/Wut6x6PIsqhTG1BND
Score

1^/10
behavioral5 behavioral6
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/ACE.dll
- Size
  
  1.1MB
- MD5
  
  d0ae82cdf9911bec3eddda128602af04
- SHA1
  
  58e167521f2b028d03aeb6c926d34c2c969fa9c6
- SHA256
  
  f9675304d13efaee32e6b4a3317b64231a59b684532a898d12b4e7ed88518afd
- SHA512
  
  c1520462a8e02ab09e2a101207e88cf6861b48c32b7c2523047251496479740a84987fb19aba4dc8610abe2c81e5f7dbc80c51b8667f4953e17dda583d27557d
- SSDEEP
  
  24576:tmGLzPLOXbuKR17zBXE+MXRHRg2yTEg863NzSxoopoo+F:v3jOyY7zB0+MXRHRg2iBrdzSqF
Score

1^/10
behavioral7 behavioral8
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/AGM.dll
- Size
  
  5.8MB
- MD5
  
  b39b8d45413692ff856e9ba907256c2f
- SHA1
  
  ab06b594a57b8bbe0f4c4ba80a12129953521667
- SHA256
  
  ee32f4cbba3a601d57064695a8ed5955e1b9af984110d34504b8d5ebb132c084
- SHA512
  
  1dcc8bbbc55ac27b0a0b96e28de73338b972e2998bc9c33439c32b721de811b2c9ecf6d7953dfbdfadcbcc0c64f56871d09ae953a449c516578e9e8b3e1df661
- SSDEEP
  
  98304:lUpuc5sPE5fMZywrovF+rMnV17FVgvhiWaOuBue5SlIN:cuMCEZ3wrovF+a5Z
Score

1^/10
behavioral10 behavioral9
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/AIDE.dll
- Size
  
  2.0MB
- MD5
  
  ad388ce4c2cc3aaff605994da782d57e
- SHA1
  
  f43c3f588c77a34e8b81b63247ac1d7657016050
- SHA256
  
  d3ba1adbfeef8f19e4aa570299c06d39a87dfc5fe3d85946270b722e44dacda7
- SHA512
  
  f8e8f0fc5d8e01f8afe1aac55d3a301fa0019c6e80099616abf5a41c09aeabd0294e4391ddac170c2cd5bcff0b9e9cb4b559a2eca50a273e398083542065e27b
- SSDEEP
  
  49152:h50rEANbHm4w0H5QZXjr/nZA9XANcZ4T5lQ:b0rEcbG4w0H5QZTrnZEmlu
Score

3^/10
behavioral11 behavioral12
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/Acrobat/Acrobat.exe
- Size
  
  3.7MB
- MD5
  
  4d8cec1eb3465a2a3afbbef7fbcf2302
- SHA1
  
  ca31509f6323ef817541e00c960fbfcbfa543ef0
- SHA256
  
  e226528c6697650e6bc75164756f8619551b0a30b1b79cb54f3d3dea08032694
- SHA512
  
  b94e7052e4e52ed1268fb5bab24d9f8eb4b0547d09c9878d71e36af3de6e4c19a722e043f29cb7203834be5c08b7bfa1bd0f76b3428775008f214b5276380466
- SSDEEP
  
  49152:KFah8+jIe+mQHT9rul5P53ox4bD7u3j03chhNF3xBYnZiue4+t5SuWEu4O8b8ITp:Ei8yIWQH5oDS7NdzYnZiu0t5U/q
Score

1^/10
behavioral13 behavioral14
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/Acrobat/Acrobat32OL.dll
- Size
  
  200KB
- MD5
  
  18e5a6296e02efb842fb3d11ca0c7c63
- SHA1
  
  1a774bc3ec960bf1d639b883ba34de0a101748a8
- SHA256
  
  629b4cef2c394c6a1fad37e5ac6f497b3bdac489270d54f4e98c5dfc925ea883
- SHA512
  
  66fe300a275d0dc403479668a3120e6eb9a84a28736e64b24afc37298e556589b40c191a83f5871b2ad1778e0a8a65f7a0878f29d409b2efb9d51531854c5198
- SSDEEP
  
  6144:tbL7Ohthut5BCRVS989WUY+7F4C9WOOS0mvpMJDJ2C7ejmj:xL7ObhG5BZUYiF4C9WOOS0m+JD
Score

1^/10
behavioral15 behavioral16
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/Acrobat/Adobe.Acrobat.Dependencies.manifest
- Size
  
  298B
- MD5
  
  7bae8b27f113f2c1bdc4181b99117fe9
- SHA1
  
  541f5fa5fa52885e0068a6b891537f254e334609
- SHA256
  
  dae02d5688314c66f9001728eeff6010e8af413867dfe4982b6b2c66625d9bb1
- SHA512
  
  803342e6b91c444128e3fec7e8f64757ec3531e4e4efb5e00a7ae4d7b1fc1cf1d4a42d20b1d986c1a4090567abee79be657983253bd9e8cfdd121a5cbdfc0849
Score

1^/10
behavioral17 behavioral18
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/Acrobat/Onix32.dll
- Size
  
  745KB
- MD5
  
  e03d8bbcf584de58500efdac4c7b6a97
- SHA1
  
  7aac481128eda876bc111b0cb33e202c68ef1f93
- SHA256
  
  58cc0c31514e89a743c9b96c7892c256cd9daaa18bdcff784b8ddb1d5c15a163
- SHA512
  
  eb3346b4d93137476f57eb43c87e4160b5d85431e2e9a75fbf4250161414d290eead6bcdadb290e23f13158ea265da880ddef1cad4b12cce60c0fa9d4f95c3d2
- SSDEEP
  
  12288:JPuGQm/KqPd7dg3EPctRuVcnQUFkZrBzKWe5p7MQnowzk7NugLqKiaC3P2nYs8rh:gGQm/KqPd7dg3EPctRuVcnQUFkZrBzKz
Score

3^/10
behavioral19 behavioral20
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/AdobeXMP.dll
- Size
  
  887KB
- MD5
  
  7c3033588c1a187918cf3fd246069a3f
- SHA1
  
  2b637a9d37de604ae8e98fcbc73746ccc0402b31
- SHA256
  
  e958f4ed8272a96e599ff9f0a79331e7b5109104a9d20d3f760c7eb162daf7e0
- SHA512
  
  80d513d25477081c84af87e8127a02bb332204ad7399ac653a27ca726e446fd25518d36189bf90b10cbf34119d35501e006a2e06dbca5a96dc2348aff6b6fe91
- SSDEEP
  
  24576:7CaZsdfNjJaN0OdQfLCKVkDavzVi5p5bafAAy4:7ZspNQVQdkahi5zaf5R
Score

3^/10
behavioral21 behavioral22
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/BIB.dll
- Size
  
  119KB
- MD5
  
  404de37b800b661ebfaa218b20c8c0c6
- SHA1
  
  2a2416b663ee9d9ec6325d2c70bf05be27a73eac
- SHA256
  
  ca53407b356fcdea51a6d536447ed6b88ad14c87facf421080d141cae837eedc
- SHA512
  
  e6d66bcb0da4ca5456dab376385c73a918fc13c4b0ab9a05d2324dbb7a9fcf197d727acfbedb15e55452b916c9afde0ed01b233868a88ae0f34ee01306289430
- SSDEEP
  
  3072:x9mmiJ1WvqJ7fW7n/WY0EZrZsibdumKr9igRsNpKN02+OzHwn:TkaqJi7M0dO
Score

1^/10
behavioral23 behavioral24
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/BIBUtils.dll
- Size
  
  170KB
- MD5
  
  79622b56347c1fd44b74bd4ea74cb813
- SHA1
  
  51c1e13a4b5aad657c570149c529dd4963adf77a
- SHA256
  
  0f2b3d012a9abe420bc36c62847bba6ca4478ceebc018bad2b19f22d481fcc10
- SHA512
  
  ebc329e0d1d869107043e5b0a0e05d4322fa0a2bbc2c30411d51ce1b4b33778ee94f82ad072cc8cf75222f488e52bf52dfb7481edfdef3e39fd58259685ad195
- SSDEEP
  
  3072:0VMWnX3e6TCL2ssOGpibdy1ZLKDZW7TPtAlgeoVA/sis/zquLtyQh1g:0JnHeKk2s03q0nh
Score

1^/10
behavioral25 behavioral26
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/CoolType.dll
- Size
  
  3.2MB
- MD5
  
  6fb9f15b6a1dd1ee9cdb9b4ef290d69e
- SHA1
  
  c5955655e9b96004a72bbb09aa72996f3ddaa539
- SHA256
  
  d4a0db913fa555808ce627114fe6e2725970499c70364edbedf47d907d52242d
- SHA512
  
  24be26d2e0dc3e05f786ce3eee815247261fe99e1bff08e689d71bf68e7d5340e942aaaefd9203569f63c23a5f5cb46c1ff6a2d91f2753fd6d78240fffa7beed
- SSDEEP
  
  49152:37sVoVC47fsPVTs57ovd2MMg6NYpnd3EQUyfha+P/u6LSXvowU7u9qRXApP4Cqrt:37RCwfsdTk+dlb73ELyfhlf9K4Cqi3
Score

3^/10
behavioral27 behavioral28
- Target
  
  VirtualBox-7.0.2-154219-Win/x86/JP2KLib.dll
- Size
  
  508KB
- MD5
  
  73c0da5c825e3a2275dbef4f8dae0813
- SHA1
  
  6f6191867fddf3c284066dd855512198c509d64c
- SHA256
  
  979851cac4a2a0e394f06ca7139d7402911048b094f550dd9b33d1203ae92862
- SHA512
  
  aa01cba77cf94d3a4c66ac7169414d4d7f91d8965d312bb46430b766affe0ff93c241a84ad9e1796c08c28fcbc613c9d98cde37b2b4914e801abff6c638a111b
- SSDEEP
  
  12288:tskp3VH/G2LrUUIGVC3hCDfF5AzO5qkkZalIf+AGzVYu5uRcyef0njWcArh45j:tsK3VH/dlIGAGzqu07ef0qO
Score

1^/10
behavioral29 behavioral30

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30