General

  • Target

    9d2cea326b28175bb93148541991dae696cc970cba7381e101f502110993a239

  • Size

    139KB

  • Sample

    221225-xbebysbh76

  • MD5

    12ee65b134b4f6d9263158679fe3d826

  • SHA1

    0b2de22d75a3c69e05da731c12a776988174b99b

  • SHA256

    d6ee2054da28f93dfac088c4273a9609e53f9f9e0514cb7e2a0ebfb1969c18a6

  • SHA512

    e5d828f458b2bbb0c77783101f2fe375ebe309fa9e9667fb0efed81cc7b76d343e26748376c815fbcb1ce83ab7f69a9821fa0b331ec41b42a7571757442bad3d

  • SSDEEP

    3072:/ApSsuUahcyHLf3bs0waetfGwjq9vlmWt6ven5znjsd:/AphOc6et7jq9vd6vk5vsd

Malware Config

Extracted

Family

aurora

C2

195.43.142.218:8081

Targets

    • Target

      9d2cea326b28175bb93148541991dae696cc970cba7381e101f502110993a239

    • Size

      221KB

    • MD5

      afecb82dd2b59e52ef71282f80b229ad

    • SHA1

      4e530e9e038f5c475428982e674fa50bd4d8bb99

    • SHA256

      9d2cea326b28175bb93148541991dae696cc970cba7381e101f502110993a239

    • SHA512

      447ee754d3874b5b309c0178ebfa550e639f7664ba4a1c6d36afaca0c789248877be8f5f71bd8cb10d285b5c5e928a6ca99f3fd45995fa9e52e81c6f3eab8227

    • SSDEEP

      3072:4k6LzRHRIZJ1952/rP1rLw1uEiCMz9tJ/eoqw7RkxmJZs:QLztRIT1mDVcuoMzLJ/eFGymI

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks