General

  • Target

    d7e9dee7a796ca31bd7a8f4758a7e74f1690bcd78dbc854d34a34c4c8797101b

  • Size

    256KB

  • Sample

    221231-zxa8jadg4y

  • MD5

    d84f4bfc590ae95cd617fdd0e15ee618

  • SHA1

    8a6aa5eae01fad0265974d991ae34657473005b6

  • SHA256

    d7e9dee7a796ca31bd7a8f4758a7e74f1690bcd78dbc854d34a34c4c8797101b

  • SHA512

    fdd091408446fbb090421d3cd9069c010f46e2bf8579409ede86126ef5188e02bb5f0bce0726603c49a4a5930b226ec3509dc4d1ab5191dadfba724713cb787c

  • SSDEEP

    3072:RneXp8Q1Lcp5kqiRlic4sgp0mmNkPRgDC4MzmquATV7m8T027hZY:qBL0kqXe2g7BuTVqohZY

Malware Config

Extracted

Family

aurora

C2

45.15.156.97:8081

Targets

    • Target

      d7e9dee7a796ca31bd7a8f4758a7e74f1690bcd78dbc854d34a34c4c8797101b

    • Size

      256KB

    • MD5

      d84f4bfc590ae95cd617fdd0e15ee618

    • SHA1

      8a6aa5eae01fad0265974d991ae34657473005b6

    • SHA256

      d7e9dee7a796ca31bd7a8f4758a7e74f1690bcd78dbc854d34a34c4c8797101b

    • SHA512

      fdd091408446fbb090421d3cd9069c010f46e2bf8579409ede86126ef5188e02bb5f0bce0726603c49a4a5930b226ec3509dc4d1ab5191dadfba724713cb787c

    • SSDEEP

      3072:RneXp8Q1Lcp5kqiRlic4sgp0mmNkPRgDC4MzmquATV7m8T027hZY:qBL0kqXe2g7BuTVqohZY

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks