General

  • Target

    LibreOffice_7.4.3_Win_x64.iso

  • Size

    300.4MB

  • Sample

    230118-zgc27aeb3y

  • MD5

    66ae323248f582a0ef7a590bb9ad422b

  • SHA1

    ad17216df815e090b5f74f121571eeca29470a4d

  • SHA256

    577e892d1297665f413336b2d84793e4f62e578a723b0b47d688983f9cbe64a2

  • SHA512

    1488a34737fe0e38cb703a64da2c4818bcd4477852837110117271bca047fd8209a680513036ef57e43e30d0ae1622a2ae646d7ecfd694ae5c5492b06ad99ba1

  • SSDEEP

    12288:0bCG7F1wjOLak1PCgqaapo2RvxC1WyOPwQOhGwYyY9ZGyooo3RZNzBjFww43vmOC:Mbww4fmOa6IglK

Malware Config

Extracted

Family

aurora

C2

79.137.133.225:8081

Targets

    • Target

      LibreOffice_7.4.3_Win_x64.exe

    • Size

      300.4MB

    • MD5

      2bec9909801a6b076ed39f92014b0ea7

    • SHA1

      7d1b3911ea2c34a04f1fef879f734cb956267c98

    • SHA256

      927faca66d91e772d4f89c84de39b7a02132fb088a97b56056911f0e0f18b026

    • SHA512

      0cb4b1836e5c781a0bc175f799b3427be0bb5bba859ebcfbf5f5e1225ceefa82f40cae08b032e1601515698a4620b12f0e8e76f1fa98f68432992a871dfabb60

    • SSDEEP

      12288:WbCG7F1wjOLak1PCgqaapo2RvxC1WyOPwQOhGwYyY9ZGyooo3RZNzBjFww43vmOC:mbww4fmOa6IglK

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • UAC bypass

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks