General

  • Target

    install_win64.zip

  • Size

    4.8MB

  • Sample

    230125-1xvgvace3v

  • MD5

    564549d2d8e7de67ba01405c5cde1da8

  • SHA1

    0afd85596979d7707005ee16b49522991b02a914

  • SHA256

    405862265e3d65d3fdd6f9a502fa001e7c7c4564848e060971240758264a9a25

  • SHA512

    f2fc01fa073b25be8b8769e64837b87c5ad517f763fe0a40e00e78b422541f632558cb876d2aa603edd7005304b2a2a9380cc70e084a8886053c22cb10b833f7

  • SSDEEP

    98304:BEjFd/umpx14acFK/LbfO0jUHDATI5pVP4:BEBlumpIaGCNxTI6

Malware Config

Extracted

Family

aurora

C2

45.15.156.210:8081

Targets

    • Target

      install_win64.zip

    • Size

      4.8MB

    • MD5

      564549d2d8e7de67ba01405c5cde1da8

    • SHA1

      0afd85596979d7707005ee16b49522991b02a914

    • SHA256

      405862265e3d65d3fdd6f9a502fa001e7c7c4564848e060971240758264a9a25

    • SHA512

      f2fc01fa073b25be8b8769e64837b87c5ad517f763fe0a40e00e78b422541f632558cb876d2aa603edd7005304b2a2a9380cc70e084a8886053c22cb10b833f7

    • SSDEEP

      98304:BEjFd/umpx14acFK/LbfO0jUHDATI5pVP4:BEBlumpIaGCNxTI6

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      install_win64.exe

    • Size

      470.0MB

    • MD5

      446a94cde644528889e1d99773d0fcb4

    • SHA1

      fe4101e37180a2aa341889a7382da285f17f1d30

    • SHA256

      ee47555bdeb1124c269bfe960cda5203dd30423762e101871c31e85e6813f2b4

    • SHA512

      9a267bbbcc2e7f47517f4d8b37525a8fcc452906e51605114ccd5df69fc15f6b08b8847a5167f187f137b26f527dae3e334826a26c70e15afae65b87bb163887

    • SSDEEP

      49152:ZVNtKmOcwRH2BDLLqktRpeCrrLTLygzVYrwhrzAIvA70Y6OG97QQTqKagaIuUlp3:ZPleUqPCrrugzVfBzdy00QTq9Ml4e

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks