General

  • Target

    install_win64.exe

  • Size

    2.9MB

  • Sample

    230125-yhhtdsad98

  • MD5

    03e3bad71e31f6b4269f07a14300a1a2

  • SHA1

    b9ecc7cc12c3f2ca94615a3d68331cdb0c659076

  • SHA256

    21baf3dbca077ed7a34990db99eb22ea6a085977af4e38436002b06b42cfb96c

  • SHA512

    8a7c907c26753dfca2797238cfad7bb7194eb1505896f6192a288537ea7b2a7fbee4c6f84c3b3c23988e61f9ecf7a0ebd084242d2fec233e2b6e58d7d5b5766d

  • SSDEEP

    49152:V1fsKJAccz1yNySqWj1ev4yFJzIosdgj7SzI7eM5jWglagRwQRPYcE84HjSdepEH:b7cz1yjySjdgj7Sk7bjpRw2HiSde6DF

Malware Config

Extracted

Family

aurora

C2

45.15.156.210:8081

Targets

    • Target

      install_win64.exe

    • Size

      2.9MB

    • MD5

      03e3bad71e31f6b4269f07a14300a1a2

    • SHA1

      b9ecc7cc12c3f2ca94615a3d68331cdb0c659076

    • SHA256

      21baf3dbca077ed7a34990db99eb22ea6a085977af4e38436002b06b42cfb96c

    • SHA512

      8a7c907c26753dfca2797238cfad7bb7194eb1505896f6192a288537ea7b2a7fbee4c6f84c3b3c23988e61f9ecf7a0ebd084242d2fec233e2b6e58d7d5b5766d

    • SSDEEP

      49152:V1fsKJAccz1yNySqWj1ev4yFJzIosdgj7SzI7eM5jWglagRwQRPYcE84HjSdepEH:b7cz1yjySjdgj7Sk7bjpRw2HiSde6DF

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks