General

  • Target

    9165bc02f34e98d8bda09da495eb33b985d33b3ffa519a19b82255da98840489

  • Size

    159KB

  • Sample

    221231-ykc1xsad69

  • MD5

    2733c742ca5c870769dc88f053af4412

  • SHA1

    ebd4015319b8c92f34b5fcfb7352e7048c1a3af2

  • SHA256

    b94ad368123101b4fa95e7bb443f7048cbbe35dd9c6baed98bd8a6489030d4a0

  • SHA512

    dd861a11017ef3562dffa5f045f5d7f335eb4c95b6e1a88dda281f206799173007eec945064d892addaf1bfdde70d24a65abd6b4441d0d779f7bffcffcdff29b

  • SSDEEP

    3072:75SVjQeeHMz55Wuk5SvsnJ6sB6FuUh2MuN/MO2cYRBpunq2t:7oXbHkAvk7h/MO2FB4nqM

Malware Config

Extracted

Family

aurora

C2

45.15.156.97:8081

Targets

    • Target

      9165bc02f34e98d8bda09da495eb33b985d33b3ffa519a19b82255da98840489

    • Size

      261KB

    • MD5

      b9e274a46b06a02f7687ee5f8279d285

    • SHA1

      e55513ba62093c70b49171ee2da71453066513c5

    • SHA256

      9165bc02f34e98d8bda09da495eb33b985d33b3ffa519a19b82255da98840489

    • SHA512

      62a926137252726e2fe34162f4a871268e2f7268671e27cadaea96602fdd46a8ee70b75d268b5c1b21ddb2625e0f446fcb9b33a5727bff532b8782973ea42f6f

    • SSDEEP

      3072:tVrsbdH1LfhL6XbBhOMnEzReACaJVxSqnJ6sB6FuUh2MuNGS6CKmqIUAM27hZY:tY3FL6jO+OCaz8pk7hGXCxvUApZY

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks