General

  • Target

    daff494505d1dda2813860ca1bb7c6a49847de0aa2ac732db81b1d0ca787d5ac

  • Size

    255KB

  • Sample

    221231-wytvgsdd4t

  • MD5

    3c0240c60663a313dc0ff12014f57ecc

  • SHA1

    be036ba6bd08ee2496393cc7f13a7a23fb63968b

  • SHA256

    daff494505d1dda2813860ca1bb7c6a49847de0aa2ac732db81b1d0ca787d5ac

  • SHA512

    5e9d7ccca7450645641e47dbc2eaf5357eaf7a80206159d565e5e20ab03e0fb757a5b99a76343c0a74707c3da37b8751095ca6b7b71486963b6d43c147dbe5a9

  • SSDEEP

    3072:wmZsVu1paLniBsFbnRhc12wZuvZNxBC2J+Y2cQ25xymqqojx27hZY:AoeL/Fb7c12wZuvH3C2L2/25n7wMZY

Malware Config

Extracted

Family

aurora

C2

45.15.156.97:8081

Targets

    • Target

      daff494505d1dda2813860ca1bb7c6a49847de0aa2ac732db81b1d0ca787d5ac

    • Size

      255KB

    • MD5

      3c0240c60663a313dc0ff12014f57ecc

    • SHA1

      be036ba6bd08ee2496393cc7f13a7a23fb63968b

    • SHA256

      daff494505d1dda2813860ca1bb7c6a49847de0aa2ac732db81b1d0ca787d5ac

    • SHA512

      5e9d7ccca7450645641e47dbc2eaf5357eaf7a80206159d565e5e20ab03e0fb757a5b99a76343c0a74707c3da37b8751095ca6b7b71486963b6d43c147dbe5a9

    • SSDEEP

      3072:wmZsVu1paLniBsFbnRhc12wZuvZNxBC2J+Y2cQ25xymqqojx27hZY:AoeL/Fb7c12wZuvH3C2L2/25n7wMZY

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks