General

  • Target

    VirtualBox-7.0.2-154219-Win.exe

  • Size

    780KB

  • Sample

    221215-xelv7sda95

  • MD5

    35c4199af620e774fc51228a61c3b226

  • SHA1

    1afb7f9a834b62133c46da273b788b941cc58533

  • SHA256

    f313bf5d9b50d94ccfe4d22a0d1561e9d2b8cb525752ce15aaa7b53ca1d05f04

  • SHA512

    8e9e8923442d4d2c3d9b99cdbafd12159cf08c1a6c63a774157eef03f4c606064e46caafcf534f812583618dd8c298e9933af9248176b0cb7963d4229284beba

  • SSDEEP

    3072:eahKyd2n31yS5LvfiP1yaX3KmC5wBCgBCwfjL1c1pcSsP1XBRWf9:eahOcnHn9BF//1cUJ

Malware Config

Extracted

Family

aurora

C2

79.137.206.138:8081

Targets

    • Target

      VirtualBox-7.0.2-154219-Win.exe

    • Size

      780KB

    • MD5

      35c4199af620e774fc51228a61c3b226

    • SHA1

      1afb7f9a834b62133c46da273b788b941cc58533

    • SHA256

      f313bf5d9b50d94ccfe4d22a0d1561e9d2b8cb525752ce15aaa7b53ca1d05f04

    • SHA512

      8e9e8923442d4d2c3d9b99cdbafd12159cf08c1a6c63a774157eef03f4c606064e46caafcf534f812583618dd8c298e9933af9248176b0cb7963d4229284beba

    • SSDEEP

      3072:eahKyd2n31yS5LvfiP1yaX3KmC5wBCgBCwfjL1c1pcSsP1XBRWf9:eahOcnHn9BF//1cUJ

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks