General
-
Target
install_win64.zip
-
Size
4.8MB
-
Sample
230125-1xvgvace3v
-
MD5
564549d2d8e7de67ba01405c5cde1da8
-
SHA1
0afd85596979d7707005ee16b49522991b02a914
-
SHA256
405862265e3d65d3fdd6f9a502fa001e7c7c4564848e060971240758264a9a25
-
SHA512
f2fc01fa073b25be8b8769e64837b87c5ad517f763fe0a40e00e78b422541f632558cb876d2aa603edd7005304b2a2a9380cc70e084a8886053c22cb10b833f7
-
SSDEEP
98304:BEjFd/umpx14acFK/LbfO0jUHDATI5pVP4:BEBlumpIaGCNxTI6
Behavioral task
behavioral1
Sample
install_win64.zip
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
install_win64.zip
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
install_win64.exe
Resource
win7-20221111-en
Malware Config
Extracted
aurora
45.15.156.210:8081
Targets
-
-
Target
install_win64.zip
-
Size
4.8MB
-
MD5
564549d2d8e7de67ba01405c5cde1da8
-
SHA1
0afd85596979d7707005ee16b49522991b02a914
-
SHA256
405862265e3d65d3fdd6f9a502fa001e7c7c4564848e060971240758264a9a25
-
SHA512
f2fc01fa073b25be8b8769e64837b87c5ad517f763fe0a40e00e78b422541f632558cb876d2aa603edd7005304b2a2a9380cc70e084a8886053c22cb10b833f7
-
SSDEEP
98304:BEjFd/umpx14acFK/LbfO0jUHDATI5pVP4:BEBlumpIaGCNxTI6
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
install_win64.exe
-
Size
470.0MB
-
MD5
446a94cde644528889e1d99773d0fcb4
-
SHA1
fe4101e37180a2aa341889a7382da285f17f1d30
-
SHA256
ee47555bdeb1124c269bfe960cda5203dd30423762e101871c31e85e6813f2b4
-
SHA512
9a267bbbcc2e7f47517f4d8b37525a8fcc452906e51605114ccd5df69fc15f6b08b8847a5167f187f137b26f527dae3e334826a26c70e15afae65b87bb163887
-
SSDEEP
49152:ZVNtKmOcwRH2BDLLqktRpeCrrLTLygzVYrwhrzAIvA70Y6OG97QQTqKagaIuUlp3:ZPleUqPCrrugzVfBzdy00QTq9Ml4e
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-