General

  • Target

    56412a0fdda35a4e4eaeee929670575fb9b4e86943395af2b9fdf9bee8f21a56

  • Size

    159KB

  • Sample

    221231-xj6q6sde5z

  • MD5

    b3311c6786d107480a823aae3e33fcbd

  • SHA1

    7e0cc8e8e650640f81d2365fa1572c9a6084dc47

  • SHA256

    4f5e8d2a2f16d331c412ab2ca4f67b1b0c870ce5e50f7ecda417e1f980accba4

  • SHA512

    002ef82fa546806e3bd703cbcab4ba12af711cc09aabb6986c09843a14994cfbaafdba2fbf1d3e040eef29aa3b6b892e6d8c6baff27135aa755160f172901437

  • SSDEEP

    3072:aeFjuSkJV4uEswxlxewuxYUOTzHdgFZe8V3QRFkS9ukNIcbV1vjO5O2bi:ae1BkTpLwxl8nyvwZee30FrTZ7OI2W

Malware Config

Extracted

Family

aurora

C2

45.15.156.97:8081

Targets

    • Target

      56412a0fdda35a4e4eaeee929670575fb9b4e86943395af2b9fdf9bee8f21a56

    • Size

      262KB

    • MD5

      93e241915ccba3e725b401bd8a6710cb

    • SHA1

      b95c0b3522ab2e987cc13f2e4f91cdb09f0fc675

    • SHA256

      56412a0fdda35a4e4eaeee929670575fb9b4e86943395af2b9fdf9bee8f21a56

    • SHA512

      6d9036c7da1063b6911d223a802cc24994977888fb36bc459d7b938eabb3f32ad260a98962a7807adec22f972fffdeefc200dc33f382047551b60d6edad5fe5b

    • SSDEEP

      3072:spLyjGoqLH7K8Ha13K0R7sVmOTzHdgFZe8V3P3mqw8PByX27hZY:wgYLH7fa5Kz7wZee3P2CPByyZY

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks