General

  • Target

    Rufus.zip

  • Size

    38.1MB

  • Sample

    230119-sk786sdc7y

  • MD5

    375da6b05826cca9dfb11378b438091c

  • SHA1

    2b0ae1c1c003c6a72b74298e212673624ff45311

  • SHA256

    388db9f88978c954403471f003cec9e90e2600fa3c30bed46b3877679a762250

  • SHA512

    c3e2d8540cbe5a9ea2c0bf25433fd7860b8ff570494ddc608c600a5af380d3c5889061977f3ea966a895a4308db060869f77731a3f6d00844a782e89505feb57

  • SSDEEP

    786432:jiI9AAmaERJvhKbbhFKIr4FPkBl2WJepUrojQHferw64SJmN6gfv4B3wGf:+2DLA4pr4FPwxb1gxmHH6f

Malware Config

Extracted

Family

aurora

C2

77.83.173.136:8081

Targets

    • Target

      Rufus.exe

    • Size

      11.7MB

    • MD5

      66da7da6e39a42cc5a59d7098d51b744

    • SHA1

      5cb2b49063708ba0b2bea2f1867a7b474c827a05

    • SHA256

      da35f99ce1e49cf539981fe52b80e58bdb0d6c1f8d8f9425169be1d9845e63a9

    • SHA512

      ebb443e077e999f78c2bdde78cbc72d4ea70174cab171856e83bcd69471671a2e6a7f738ca2e61275e0c8fc38026a10cb8f0765014f0f5a3e997973182b56f46

    • SSDEEP

      98304:cIAa/hJgvZIb8EA3qd70G8KKWzavKz4jEpfeOsUQCzCUQkmPZKpcleU:qKEv+AAQDrCzMTFnCzCUQlP6cl

    Score
    10/10
    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Target

      data/7za.exe

    • Size

      796KB

    • MD5

      90aac6489f6b226bf7dc1adabfdb1259

    • SHA1

      c90c47b717b776922cdd09758d2b4212d9ae4911

    • SHA256

      ba7f3627715614d113c1e1cd7dd9d47e3402a1e8a7404043e08bc14939364549

    • SHA512

      befaa9b27dc11e226b00a651aa91cbfe1ec36127084d87d44b6cd8a5076e0a092a162059295d3fcd17abb6ea9adb3b703f3652ae558c2eef4e8932131397c12d

    • SSDEEP

      24576:HWdp+y7/ya3yc7tfBA6rDUzfKrBxEATB:up+fa3rLA6s+/

    Score
    1/10
    • Target

      data/compil23.bat

    • Size

      387B

    • MD5

      4b9395348434c8f32b17feb587fbeaf6

    • SHA1

      90fe1938ae399c0741e0a915fdc5fe3c7dbf0eac

    • SHA256

      22bf2ac7bbd1a0a927ab40349aec1017dcd089f024126df972dd3d65e029b06c

    • SHA512

      8ef6d9e51cfb9c3fe5b915baa3e799deba89d4cf308b420ee3b5d5508c45844e0684bc0e35c5dc6608f0b89803da16e6840ee2388b9de5e7b5f55767c2b64ce9

    • UAC bypass

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      data/uiscript.vbs

    • Size

      140B

    • MD5

      43b80f54ea07b72e43ab3d7570689b09

    • SHA1

      a52f34548c9ad0b1f289928c96d90aaaa16e2b74

    • SHA256

      1555a8776e101b16f6177df4f257566ae0a9b58f1eede29526c709f56c9d6ed1

    • SHA512

      4163acba57fa1a19bed211a253e7aa784bca2afe42e749f03d3d7eb534ec7ec0a7a77b59d17c76d45228082b837a0a3e56cc205fcc0c92e157369ed29a634861

    Score
    1/10
    • Target

      platforms/qwindows.dll

    • Size

      1.4MB

    • MD5

      ac584cbeb327e9d2364873f451e074be

    • SHA1

      eb2d7b7f38c880ae4bc4f32c50e10e73ee15c816

    • SHA256

      1fa4d2f13d22d9a859503d7b7c87ba39d379d9a14afcea7299d572eabb2bdf57

    • SHA512

      4fca1fa9494799f382318d329a3040bc067d55e7cd99be6d768e975fb585f61f8c1360908284bb04c055dcf21a164464305e9255d52b1c57a0cfc49eea003203

    • SSDEEP

      24576:X/JCM63NAI9HwxZ3tVuItJKLOlxrbzxTbhE3Yd3ZAX2NyX:XxlAL9Hw73aItqOPDxPUY4X

    Score
    1/10

MITRE ATT&CK Enterprise v6

Tasks