aurora | 3d30d701fb087416627321c60ab02f143718aefbb3ea7e2689b6fb658ab78ab6 | Triage

Resubmissions

04-02-2023 21:43

230204-1lbwcseg47 10

Sharing

General

Target

VSCodeUserSetup-x64-1.74.3.zip
Size

10.3MB
Sample

230204-1lbwcseg47
MD5

ffc83d031c562f089f0811731a65a47e
SHA1

d2c9b520768f5f526b875d52864d1676c546d3c1
SHA256

3d30d701fb087416627321c60ab02f143718aefbb3ea7e2689b6fb658ab78ab6
SHA512

2638e17d110dbca1b78d51c8f2714b451a7017346fb93b91e28bf8e1e45305cdfb93845d5eb0ee9ece807166ce032317878c3133ef5223a72328d754f1d4c9d4
SSDEEP

196608:tkrvx0ZhKNLWMYVQL8N2ng7pixycHdYZFXXt/vh68g22zl6uT2QhjZi:tkrvx0uvkQ3g7p81dYjXXth681wl/qQu

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

C2

45.9.74.11:8081

Targets

- Target
  
  VSCodeUserSetup-x64-1.74.3/VSCodeUserSetup-x64-1.74.3.exe
- Size
  
  680.7MB
- MD5
  
  07e845f93ca6fcbd10bad391aa94eaa0
- SHA1
  
  340a9c9c85644f973302a694686eb8cba8ab1876
- SHA256
  
  369ad6d01ffbd5af4a4da72d648afb41af0b694bbb05a39be0f4314daddce219
- SHA512
  
  44d5ff91002d37cb994b736cf350cbb61fde7ae618a4404950921f49f3f9488341212229cff0b411b20d800f99b7cfa612684ccf4543b613ab41f3ee81bd8aeb
- SSDEEP
  
  98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4tp4:VSSzMGS26x1MUTM+/Fha
Score

10^/10

purecrypter downloader loader persistence aurora stealer
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- Detect PureCrypter injector
  loader
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgcc_s_seh-1.dll
- Size
  
  89KB
- MD5
  
  ee6dab9b460d8570cd10a017d850739d
- SHA1
  
  5ee005251c2aae9f63d3e2c7efed8d091f8f758f
- SHA256
  
  5a1f4f92d865ccc37c6e99342b3692cc0cd7f6ed6c108fa8ff559ddd72c7d2fa
- SHA512
  
  883f8d6c842ff8dcd26e093a404a39131a02d1e33ec45f5d187db05fec047c56f52798b923cdb90ea4b5a7e701f8fa454de6e6a7a6d5f710d55d31c432d69555
- SSDEEP
  
  1536:4x7W0l+4C1qZfonwhIX3H7S5T1eATyglkSu/dItMImTInr3gZ89JqsfAENRLzIxO:4xS0QbqCwSHq+3/dIVrwEqsF8FN09
Score

3^/10
behavioral3 behavioral4
- Target
  
  VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgmp-10.dll
- Size
  
  622KB
- MD5
  
  d0cfb628f3a6033f7a45ee841c1161de
- SHA1
  
  b7b6d82ab924b0130fdcbade148f3220faf3c1a8
- SHA256
  
  cc04e8e3190335b7be885d175f62e1fd8bae1deeca4e660a4df85bf7c286221e
- SHA512
  
  2e987acd0ff8d1e6d336c1bc9c24af5cbbe49094365b1e09b3efc3735fbba76a3806ec66c8478664412e51700477d788947d8d557f3dec1d2d08d4685c2f5b35
- SSDEEP
  
  6144:gqCGo2jbRSFZxZ3S9fO4yciqIJuYpvTHq7yXE/0vk5bBGslJ6NoUuUPaT1QANbr0:BRsx8iP0/GkW/uUi6Al6G+Jh3WU
Score

3^/10
behavioral5 behavioral6
- Target
  
  VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgnutls-30.dll
- Size
  
  2.0MB
- MD5
  
  bec8114a164a68f590268056a950cb68
- SHA1
  
  593fa9ca63c7355fb1dc91ab10f7293ee2b1bebc
- SHA256
  
  aae19ff2bf6cde4d35197d7cca9ccfab8b0641bdd499ea70df5c723d17cc15e9
- SHA512
  
  da3f07c7119451cf6864fa69d3c0afa03a157cf7ee0d22ffe8ef7416ab0de081033ea2b6bc5a3e9504923461519d58c186c811ceacd8ce48072f85497cccff44
- SSDEEP
  
  49152:cIrOBzTBiUM62O/7ikRWXAf8EClorGtlqIlv4L0al8AfXk2XAxOqe4TF:cIUIwfGlJ4L70OqeGF
Score

1^/10
behavioral7 behavioral8
- Target
  
  VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcore.dll
- Size
  
  4.6MB
- MD5
  
  61796dd3214a0d8568dfd6e3ccf1d4c9
- SHA1
  
  b8f24caec7edefc4fe5656473bf1b3fce669a65f
- SHA256
  
  b08f1e09afc504c1a18fe183ca5aca9d4f9fb4ad27fcf591f135c45b8bb96802
- SHA512
  
  4e98b699d164230da3a76f0ba2ce65cfcc3911817a87521c98756d7b199e68fb55808c020bf0aef563ee48a3ae43aeacc15064abc47e0c2ada99d76672f3081e
- SSDEEP
  
  49152:0fJ/rfq8WwIjU+TXuTw1EWKcPfecKeDGBJFPJ6+snw2zC1hPwh/tpcdGuBzoWD/U:STIjZKcOcKeSDivw2Gd7NFDs
Score

1^/10
behavioral10 behavioral9
- Target
  
  VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcsubs.dll
- Size
  
  36KB
- MD5
  
  817f94733db9bcea6bcd4fd81296f82b
- SHA1
  
  ef61fbe7e7cee4642dc695b45cdf5b6b40ed6f23
- SHA256
  
  bb4f7ea087bec11099be250a0eb4dbaffe6485c60303cebea179a5c602fb061b
- SHA512
  
  e8287c634860a3b434f69b4da49a67c00d7fa4488e1e3706e5932e76042f783db78ff6228272a6de5a49048531a69aaa7343d4d2b55e57c5472b7b3ccd3532a8
- SSDEEP
  
  768:ZObYehNicpfJ1T5D4R6KRq+erJARce+CLj5YnWGRYJA2x:2hNd1Tk607er+Lj5YnWGkA2x
Score

3^/10
behavioral11 behavioral12
- Target
  
  VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfds.dll
- Size
  
  940KB
- MD5
  
  2555ca538cfa951b193896509b847730
- SHA1
  
  11d95c5d4f1836db092632e9a84a36a5b80563e9
- SHA256
  
  8c965bae549766b7fa4b9d9c7e56a729abc5474484efe94663b3c8bfd0429719
- SHA512
  
  2d0606b9fa6b9bdcbab1ed000af9df3369eb3a260014d3b3fa2fc407568d1729eb85af8117f8fd2bb354d4cfeb32382217ebccc3b2019aec4e9e1a5ec0061ec4
- SSDEEP
  
  24576:1jNufeKFyo5zYINB2USKfkTInCyVNImtGQty:1jNufeKFyUzYIWZSkTMJt3ty
Score

7^/10

persistence
- Registers COM server for autorun
  persistence
behavioral13 behavioral14
- Target
  
  VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfdvdec.dll
- Size
  
  145KB
- MD5
  
  0ec947764afbe65edbbd364bf89cf49e
- SHA1
  
  56187f98f28c7bd654ca54cecdac101409a4c2f5
- SHA256
  
  153358ccb7d06c7bcedc0eff14571e3366b05519d854180087e1bbfb4f57e3a6
- SHA512
  
  9c79228032e5396580773f042693acfc94275cc8e403237f5c3693945f17c1929d0d06a82e8a193559cdb6381ba58731e641bf161421c91d5497d85fb851db53
- SSDEEP
  
  3072:UjjFh6230y8vLh848jZp8zy+mVzElvVVpV817YDTrueg:KRMdvLi48VmHmVzmvfpV8Eae
Score

1^/10
behavioral15 behavioral16
- Target
  
  VSCodeUserSetup-x64-1.74.3/upl/locales/MemoryDiagnostic.dll
- Size
  
  33KB
- MD5
  
  14320e135e4d1832a5b167f3c8c91e33
- SHA1
  
  1d2d9d9a348ff53d0fb3a28de015b03eaeff9a0c
- SHA256
  
  208f1896e3939ca17d3e2de3e0ce38b83443d3a24f475a3e59fb7d2900ca8337
- SHA512
  
  ed2bc4d9973c4423f924df696c8783e657abd74f4b418f796e44feae06d6f19e29b1d584dfcf25973dcd78e1ac8e1936e7e6cf8222fbd2b0f6b024627287a8c3
- SSDEEP
  
  768:RL+UB0dQH6LQHqxVRgXCoSMIOSUtShlxlTQykqdw1W7MfnCNT3iK+7NIq9:RHB0dNLQHqPyXZIOZGxlTQykqdwCMfnB
Score

1^/10
behavioral17 behavioral18
- Target
  
  VSCodeUserSetup-x64-1.74.3/upl/locales/MessagingDataModel2.dll
- Size
  
  1.0MB
- MD5
  
  66f7d94678f6fed80c6b2ff642408d86
- SHA1
  
  b9da7cd717c7730dfc9ce047507dd165ad1efc84
- SHA256
  
  4e2153b7a82e1d1486eca39e9d77ac253b5ce091eb4b99ae631dbe2b65f93049
- SHA512
  
  8be925191d11493ee6041db113853e50dac69d831b6b7d95fd8102affc8d2f4a98c159c9693ae747aa22abb0263d55ff4bc4c8e577a40174a6d55a0e4b7a69f4
- SSDEEP
  
  12288:lUUn+EbQ1RrnnnSQLQwzcdQgwXYMGk7Mw5zSmSXfcoxYWzrwjDJ6a+froQs4hLNE:lU3/RrnnnSQ0nbCY9CSj0YDsZFW2
Score

3^/10
behavioral19 behavioral20
- Target
  
  VSCodeUserSetup-x64-1.74.3/upl/locales/docs/defaults.xml.example
- Size
  
  2KB
- MD5
  
  bc0afacd8028e222472bb32474db8148
- SHA1
  
  826f5ec70527440c72e0be67cd4744d95f45f288
- SHA256
  
  0d2e249a171a07a0b412c9f3eca041e772d530991d6333f9c96600c8c0935027
- SHA512
  
  d65ac28f18ae9886f05f19feb209b6b26199c9353928f304ed705efa9e0632b66442fde52e6fcabdc81a9b3b42bb3a751df5e08929acea14ecbfb43294214664
Score

1^/10
behavioral21 behavioral22
- Target
  
  VSCodeUserSetup-x64-1.74.3/upl/locales/mcupdate_GenuineIntel.dll
- Size
  
  2.5MB
- MD5
  
  a719a641167956699558e032468ba229
- SHA1
  
  44a88f80e44f3c35d2d8e0903a7eb3d394a5f7c7
- SHA256
  
  fc1b45835dbd7cd9dac6e6daae5c00de5ef8c7335206f5c08ed1188624c9478a
- SHA512
  
  231bda20f994c72b088b84fefdc56cc03c176781ad7771b376267ce7b3c8d233292ee8c5576c026b734974615f010057b92d5f73678135212cd302a878fdcac9
- SSDEEP
  
  49152:wrrCBBuLnIjHKLiVA+g1JjNIEGMX7j1MH0ewdDmEkuId1lrOqjv:/BBuTaqL2UfGEH5eJEIdR
Score

1^/10
behavioral23 behavioral24

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

purecrypterdownloaderloaderpersistence

behavioral2

aurorapersistencestealer

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24