General

  • Target

    install_win64.zip

  • Size

    4.8MB

  • Sample

    230124-yxc7fsfb6x

  • MD5

    661267bd0d0f014628a2e0716cd03a5c

  • SHA1

    908aee7753a2a8d3ecffc570c4ed3422740a4f68

  • SHA256

    bf46caa96824ab3a6ce2d736c48778936324fbc6a097866a24d2925d9e7cd56e

  • SHA512

    aebc9c567254dd8badfe3b1062b3701db3a4a80eb1adc3c009e023c17e9dc810aa204b4f275e948c4ebee2be165462e5e39206b20334395ae384713be60605f3

  • SSDEEP

    98304:BEjFd/umi9lCdhyZ4tlAhfDEDJDzE6kWrer8cAO:BEBlumiAyclQQFQ

Malware Config

Extracted

Family

aurora

C2

45.15.156.210:8081

Targets

    • Target

      install_win64.zip

    • Size

      4.8MB

    • MD5

      661267bd0d0f014628a2e0716cd03a5c

    • SHA1

      908aee7753a2a8d3ecffc570c4ed3422740a4f68

    • SHA256

      bf46caa96824ab3a6ce2d736c48778936324fbc6a097866a24d2925d9e7cd56e

    • SHA512

      aebc9c567254dd8badfe3b1062b3701db3a4a80eb1adc3c009e023c17e9dc810aa204b4f275e948c4ebee2be165462e5e39206b20334395ae384713be60605f3

    • SSDEEP

      98304:BEjFd/umi9lCdhyZ4tlAhfDEDJDzE6kWrer8cAO:BEBlumiAyclQQFQ

    Score
    1/10
    • Target

      install_win64.exe

    • Size

      470.0MB

    • MD5

      b7b7aed1825de00641975dd959c50fa3

    • SHA1

      e10c4e7fda881e5e0303e318d719f1107f15a0f1

    • SHA256

      7b07ba9da200ae6f41090cf60374521c34a031ca59137196698cc82ec6459a0c

    • SHA512

      2b14a8a5d11bfb58d997399c74a53ecf3eec7f582fc6ddfa0a29b39607c5569ad51a64d95e5eb7869471a104935f0c4d27f126a462869ebdb2df4d837d925e6e

    • SSDEEP

      49152:V1fsKJAccz1yNySqWj1ev4yFJzIosdgj7SzI7eM5jWglagRwQRPYcE84HjSdepEQ:b7cz1yjySjdgj7Sk7bjpRw2HiSde6DF+

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks