General

  • Target

    Adobe2023.zip

  • Size

    471.0MB

  • Sample

    221227-dcgc6aeb52

  • MD5

    96c8fc4156f84c33b56ddf8782b1f5c7

  • SHA1

    fd11478eda85f1e102c3d58ce0d8b6af10d25d59

  • SHA256

    aad8d1f6793e6684a4506a4372a2c4fca7aebe6823bee3be69f400c10a42e2e7

  • SHA512

    a4197aca4809f59de4accc5fc0cc8af89c8a10fb0fc81e6e12b49058ab3728509bd65da3b3cf6051574a7b26939c324d403fc1666dab1bf44f3032d01e11c00c

  • SSDEEP

    12582912:K276MxULma0tRrJsVWZgReCWLk7+hN2cEWD1VqU1n/vbAd4:KLMyLma0tRrmVWaRF2k7+hN2a3qInbI4

Malware Config

Extracted

Family

aurora

C2

45.15.156.97:8081

Targets

    • Target

      Adobe 2023/Adobe 2023/Set-up.exe

    • Size

      549.1MB

    • MD5

      2f327237956364211eb0dae7c13e6f3c

    • SHA1

      199dd468ea2aee3f47cf6be8dd1ba5e6ae036f20

    • SHA256

      c7d52c41c8e92a67ec3fa5e26b9a6dafeb85a50a78484640d4ea0ce9497a4d31

    • SHA512

      a813da9d20d638438a36811ce971a38c7bd9c9a6669c4e1a7c07c6056c848be52a5ada88d41c4b2200dba64bdc579f15947becc8698d402006bf17ceb723714a

    • SSDEEP

      24576:LdBDfXJYotw5h9FqbcmM6HjxLshg41nMOOqRoJoHM3EKHlA:Lf/lR7Hjt4iO9OWHwEX

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Target

      AdobeIPCBroker.exe

    • Size

      1.0MB

    • MD5

      2281dffdb1988937b6c9d30128e64b42

    • SHA1

      549c86e215b80f67a036fa93304fcb367e0f346d

    • SHA256

      99557b43cd337e46afab2d277fc0e8cfe668241780e68dd4c88c9099f65c809b

    • SHA512

      8bbc920054c842d6bb8ba5e3e5896dff6c56a6662a35dcde952a4a4b68d726352d9ffbee8734590214e6c640332d913a63802a2aed666794d4554c03f592be31

    • SSDEEP

      24576:9PHeMy8QQGeQrRUm7KAd6JtFMGFWwa5iksXSGBwKMDHreO9w7chAd:ZbhSnKAwCWjMmXtgBwp

    Score
    1/10
    • Target

      customhook/AdobeIPCBrokerCustomHook.exe

    • Size

      197KB

    • MD5

      64100ce9dd9e670e28a487aabe7c1241

    • SHA1

      4ac3eeb414d7d8d1c80b8644e445d2684991150f

    • SHA256

      e97c8ed6d6c95556c11f73149a54b759548fd144e23f320ffa573709db9ccba7

    • SHA512

      8527b9df907e98f0e810583cb1e64b7f8486e540daea5a7c0052e96d94516290eeb4f22163ed16b17006974d407132565e2c48d653ba385ab86857c0290d7cef

    • SSDEEP

      3072:cjetgAXQLGOyYJI++TNHWtGm7B8xOVafniAg0Fujo+LXV5trbcCy:cjeAy+UN2t3AOb35bcCy

    Score
    1/10
    • Target

      Adobe 2023/Adobe 2023/packages/setup.exe

    • Size

      252KB

    • MD5

      0e630bf592cd9eb03f74857b1bdc7e7e

    • SHA1

      1bc476b5be0627edf96b9a25f6206e05eff453ce

    • SHA256

      b4e1bd41eb77767c255bbba6f6753af9c8072aade7554361b045193775c093f8

    • SHA512

      9ef3e186b8731f7fc3296b1e34ef8a7a58a0058e865c978dc5355dc6b64f09db945f91b94baaa9bd25ddc5a66757a4b657387891bce145820ebfae76b03ff374

    • SSDEEP

      6144:oE8HjWYkxPI6prG8erwy5jo3TkvZkRBK99:T8HjWTxA6M8erwyFeGf

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Drops file in Drivers directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

MITRE ATT&CK Enterprise v6

Tasks