Resubmissions

04/01/2023, 10:05

230104-l4s52aad8t 10

General

  • Target

    c2f4d1bc03bb6586ce429064d1c2d24b6f958fdc1785400e334a579a821dc796

  • Size

    8.1MB

  • Sample

    230104-l4s52aad8t

  • MD5

    f3c6b4f884ee17e21c51bcca7cbda178

  • SHA1

    84721c29f3cc593653855d00ad8e0868d0f80d8d

  • SHA256

    c2f4d1bc03bb6586ce429064d1c2d24b6f958fdc1785400e334a579a821dc796

  • SHA512

    22a3fad531dc2cf8293bb9b6e5a6f4e804756769d30db655aef6b9dcaf415aeaea93083a2df90dbb13ecd2a60e7eec9860c3abb247ed521a175372086e8b1336

  • SSDEEP

    196608:DtENXW++mzrvmqFsuHVioV8m2oUqLbI/qXx2nVJ1G:DWlW3mzrvPF11r12oUqLOqXx2s

Malware Config

Extracted

Family

aurora

C2

79.137.206.138:8081

Targets

    • Target

      c2f4d1bc03bb6586ce429064d1c2d24b6f958fdc1785400e334a579a821dc796

    • Size

      8.1MB

    • MD5

      f3c6b4f884ee17e21c51bcca7cbda178

    • SHA1

      84721c29f3cc593653855d00ad8e0868d0f80d8d

    • SHA256

      c2f4d1bc03bb6586ce429064d1c2d24b6f958fdc1785400e334a579a821dc796

    • SHA512

      22a3fad531dc2cf8293bb9b6e5a6f4e804756769d30db655aef6b9dcaf415aeaea93083a2df90dbb13ecd2a60e7eec9860c3abb247ed521a175372086e8b1336

    • SSDEEP

      196608:DtENXW++mzrvmqFsuHVioV8m2oUqLbI/qXx2nVJ1G:DWlW3mzrvPF11r12oUqLOqXx2s

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      x32_x64_app_setup/x32_x64_app_setup.exe

    • Size

      677.8MB

    • MD5

      fa39dd98cb841df4862b42f921cdc216

    • SHA1

      bc7b3c8b053eba372baeedd38d7b315c5cc82fc1

    • SHA256

      a59a14983a9e3895a8f129ad13021d02a7d01f3727dd9a5ff8c7b2d3d0b8b47d

    • SHA512

      b7f81652824379d4dd101bb6654ef85e9e38077506956ec57e7676c00b3dca4dd6e6b4cc9b82f682eb24b9dfa197e349ca3c5ff23ab60880353cc46224a81dcf

    • SSDEEP

      3072:HahKyd2n31DY5PQ0bbsYPrT1OhwcqtiyD+ltwfFaOrzu0vD2Q9E64gRq6hpDb0:HahOhVkAwT1iwiyD023D2Q9L4qs

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks