General

  • Target

    LibreOffice_7.4.3_Win_x64 (1).iso

  • Size

    300.4MB

  • Sample

    230118-zjtgyseb8z

  • MD5

    98656e56fa28e95aec0feeb127ef3530

  • SHA1

    4382a4084ba8dbf15c2f01dbda3eb4e236fafb3d

  • SHA256

    b109edfd6e96760ba5a639b688491c58b75acc014ec8a89eae1e16fd39a678c8

  • SHA512

    e90cc7c5c910379e88bbd44573be64fc6080c3de1b38b0deb1fb5744494c9e639f5ff18823edc7bd5b33a320586a916e70ef108f5af0b092856bb34071fb2e6b

  • SSDEEP

    12288:IbCG7F1wjOLak1PCgqaapo2RvxC1WyOPwQOhGwYyY9ZGyooo3RZNzBjSww43vmOC:wUww4fmOa6IglK

Malware Config

Extracted

Family

aurora

C2

79.137.133.225:8081

Targets

    • Target

      LibreOffice_7.4.3_Win_x64.exe

    • Size

      300.4MB

    • MD5

      571c7f42a9b065b6c28a55a3d163b9f9

    • SHA1

      77c4aa129876c355130db2bc8aef8f281129a2b3

    • SHA256

      acd07467116a82cff3167e352362c2f670879a18bdcfc9a74f4b0520f5019023

    • SHA512

      3b087bfda86e0471ffc6e979798880da7b4e7f3eafdc255e55f3c69dc9befd8bef88d5a50948bd3186bad58e1b46882f391ddf97d35a225e0fc97218946454d5

    • SSDEEP

      12288:WbCG7F1wjOLak1PCgqaapo2RvxC1WyOPwQOhGwYyY9ZGyooo3RZNzBjSww43vmOC:mUww4fmOa6IglK

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks