aurora | bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26 | Triage

Sharing

General

Target

bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26
Size

231KB
Sample

221225-v3l5rsbg88
MD5

a5f5f37a1847dfb887afe130c5838633
SHA1

3ffdfe8a0a11303521f287888e0b8669d88433da
SHA256

bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26
SHA512

ffb2e678256ea987eb2c462df2bf4f4e04958bcd37d56a717290da6dc1c12061f84f8b6f303aa593191b15c463a4650962e1d0cadfca5f64b02c73af215cceb7
SSDEEP

3072:Rbud1LNTJc5Hm7Gs4V2GEl6pAT23tJ/NewSw7RkxmJZs:R4LVJom7DGndJ/EDGymI

Score

10^/10

aurora redline smokeloader 11 backdoor infostealer spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes

auth_value
107e09eee63158d2488feb03dac75204

Extracted

Family

aurora

C2

195.43.142.218:8081

Targets

- Target
  
  bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26
- Size
  
  231KB
- MD5
  
  a5f5f37a1847dfb887afe130c5838633
- SHA1
  
  3ffdfe8a0a11303521f287888e0b8669d88433da
- SHA256
  
  bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26
- SHA512
  
  ffb2e678256ea987eb2c462df2bf4f4e04958bcd37d56a717290da6dc1c12061f84f8b6f303aa593191b15c463a4650962e1d0cadfca5f64b02c73af215cceb7
- SSDEEP
  
  3072:Rbud1LNTJc5Hm7Gs4V2GEl6pAT23tJ/NewSw7RkxmJZs:R4LVJom7DGndJ/EDGymI
Score

10^/10

aurora redline smokeloader 11 backdoor infostealer spyware stealer trojan
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

auroraredlinesmokeloader11backdoorinfostealerspywarestealertrojan