Overview

overview

10

Static

static

1

VSCodeUser....3.exe

windows7-x64

10

VSCodeUser....3.exe

windows10-2004-x64

10

VSCodeUser...-1.dll

windows7-x64

3

VSCodeUser...-1.dll

windows10-2004-x64

3

VSCodeUser...10.dll

windows7-x64

3

VSCodeUser...10.dll

windows10-2004-x64

3

VSCodeUser...30.dll

windows7-x64

1

VSCodeUser...30.dll

windows10-2004-x64

1

VSCodeUser...re.dll

windows7-x64

1

VSCodeUser...re.dll

windows10-2004-x64

1

VSCodeUser...bs.dll

windows7-x64

1

VSCodeUser...bs.dll

windows10-2004-x64

3

VSCodeUser...ds.dll

windows7-x64

1

VSCodeUser...ds.dll

windows10-2004-x64

7

VSCodeUser...ec.dll

windows7-x64

1

VSCodeUser...ec.dll

windows10-2004-x64

1

VSCodeUser...ic.dll

windows7-x64

1

VSCodeUser...ic.dll

windows10-2004-x64

1

VSCodeUser...l2.dll

windows7-x64

1

VSCodeUser...l2.dll

windows10-2004-x64

3

VSCodeUser...ts.xml

windows7-x64

1

VSCodeUser...ts.xml

windows10-2004-x64

1

VSCodeUser...el.exe

windows7-x64

VSCodeUser...el.exe

windows10-2004-x64

Resubmissions

04-02-2023 21:43

230204-1lbwcseg47 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VSCodeUserSetup-x64-1.74.3.zip

  • Size

    10.3MB

  • Sample

    230204-1lbwcseg47

  • MD5

    ffc83d031c562f089f0811731a65a47e

  • SHA1

    d2c9b520768f5f526b875d52864d1676c546d3c1

  • SHA256

    3d30d701fb087416627321c60ab02f143718aefbb3ea7e2689b6fb658ab78ab6

  • SHA512

    2638e17d110dbca1b78d51c8f2714b451a7017346fb93b91e28bf8e1e45305cdfb93845d5eb0ee9ece807166ce032317878c3133ef5223a72328d754f1d4c9d4

  • SSDEEP

    196608:tkrvx0ZhKNLWMYVQL8N2ng7pixycHdYZFXXt/vh68g22zl6uT2QhjZi:tkrvx0uvkQ3g7p81dYjXXth681wl/qQu

Score
10/10
aurorapurecrypterdownloaderloaderpersistencestealer

Malware Config

Extracted

Family

aurora

C2

45.9.74.11:8081

Targets

    • Target

      VSCodeUserSetup-x64-1.74.3/VSCodeUserSetup-x64-1.74.3.exe

    • Size

      680.7MB

    • MD5

      07e845f93ca6fcbd10bad391aa94eaa0

    • SHA1

      340a9c9c85644f973302a694686eb8cba8ab1876

    • SHA256

      369ad6d01ffbd5af4a4da72d648afb41af0b694bbb05a39be0f4314daddce219

    • SHA512

      44d5ff91002d37cb994b736cf350cbb61fde7ae618a4404950921f49f3f9488341212229cff0b411b20d800f99b7cfa612684ccf4543b613ab41f3ee81bd8aeb

    • SSDEEP

      98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4tp4:VSSzMGS26x1MUTM+/Fha

    Score
    10/10
    purecrypterdownloaderloaderpersistenceaurorastealer

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Detect PureCrypter injector

      loader

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgcc_s_seh-1.dll

    • Size

      89KB

    • MD5

      ee6dab9b460d8570cd10a017d850739d

    • SHA1

      5ee005251c2aae9f63d3e2c7efed8d091f8f758f

    • SHA256

      5a1f4f92d865ccc37c6e99342b3692cc0cd7f6ed6c108fa8ff559ddd72c7d2fa

    • SHA512

      883f8d6c842ff8dcd26e093a404a39131a02d1e33ec45f5d187db05fec047c56f52798b923cdb90ea4b5a7e701f8fa454de6e6a7a6d5f710d55d31c432d69555

    • SSDEEP

      1536:4x7W0l+4C1qZfonwhIX3H7S5T1eATyglkSu/dItMImTInr3gZ89JqsfAENRLzIxO:4xS0QbqCwSHq+3/dIVrwEqsF8FN09

    Score
    3/10
    behavioral3behavioral4

    • Target

      VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgmp-10.dll

    • Size

      622KB

    • MD5

      d0cfb628f3a6033f7a45ee841c1161de

    • SHA1

      b7b6d82ab924b0130fdcbade148f3220faf3c1a8

    • SHA256

      cc04e8e3190335b7be885d175f62e1fd8bae1deeca4e660a4df85bf7c286221e

    • SHA512

      2e987acd0ff8d1e6d336c1bc9c24af5cbbe49094365b1e09b3efc3735fbba76a3806ec66c8478664412e51700477d788947d8d557f3dec1d2d08d4685c2f5b35

    • SSDEEP

      6144:gqCGo2jbRSFZxZ3S9fO4yciqIJuYpvTHq7yXE/0vk5bBGslJ6NoUuUPaT1QANbr0:BRsx8iP0/GkW/uUi6Al6G+Jh3WU

    Score
    3/10
    behavioral5behavioral6

    • Target

      VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgnutls-30.dll

    • Size

      2.0MB

    • MD5

      bec8114a164a68f590268056a950cb68

    • SHA1

      593fa9ca63c7355fb1dc91ab10f7293ee2b1bebc

    • SHA256

      aae19ff2bf6cde4d35197d7cca9ccfab8b0641bdd499ea70df5c723d17cc15e9

    • SHA512

      da3f07c7119451cf6864fa69d3c0afa03a157cf7ee0d22ffe8ef7416ab0de081033ea2b6bc5a3e9504923461519d58c186c811ceacd8ce48072f85497cccff44

    • SSDEEP

      49152:cIrOBzTBiUM62O/7ikRWXAf8EClorGtlqIlv4L0al8AfXk2XAxOqe4TF:cIUIwfGlJ4L70OqeGF

    Score
    1/10
    behavioral7behavioral8

    • Target

      VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcore.dll

    • Size

      4.6MB

    • MD5

      61796dd3214a0d8568dfd6e3ccf1d4c9

    • SHA1

      b8f24caec7edefc4fe5656473bf1b3fce669a65f

    • SHA256

      b08f1e09afc504c1a18fe183ca5aca9d4f9fb4ad27fcf591f135c45b8bb96802

    • SHA512

      4e98b699d164230da3a76f0ba2ce65cfcc3911817a87521c98756d7b199e68fb55808c020bf0aef563ee48a3ae43aeacc15064abc47e0c2ada99d76672f3081e

    • SSDEEP

      49152:0fJ/rfq8WwIjU+TXuTw1EWKcPfecKeDGBJFPJ6+snw2zC1hPwh/tpcdGuBzoWD/U:STIjZKcOcKeSDivw2Gd7NFDs

    Score
    1/10
    behavioral10behavioral9

    • Target

      VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcsubs.dll

    • Size

      36KB

    • MD5

      817f94733db9bcea6bcd4fd81296f82b

    • SHA1

      ef61fbe7e7cee4642dc695b45cdf5b6b40ed6f23

    • SHA256

      bb4f7ea087bec11099be250a0eb4dbaffe6485c60303cebea179a5c602fb061b

    • SHA512

      e8287c634860a3b434f69b4da49a67c00d7fa4488e1e3706e5932e76042f783db78ff6228272a6de5a49048531a69aaa7343d4d2b55e57c5472b7b3ccd3532a8

    • SSDEEP

      768:ZObYehNicpfJ1T5D4R6KRq+erJARce+CLj5YnWGRYJA2x:2hNd1Tk607er+Lj5YnWGkA2x

    Score
    3/10
    behavioral11behavioral12

    • Target

      VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfds.dll

    • Size

      940KB

    • MD5

      2555ca538cfa951b193896509b847730

    • SHA1

      11d95c5d4f1836db092632e9a84a36a5b80563e9

    • SHA256

      8c965bae549766b7fa4b9d9c7e56a729abc5474484efe94663b3c8bfd0429719

    • SHA512

      2d0606b9fa6b9bdcbab1ed000af9df3369eb3a260014d3b3fa2fc407568d1729eb85af8117f8fd2bb354d4cfeb32382217ebccc3b2019aec4e9e1a5ec0061ec4

    • SSDEEP

      24576:1jNufeKFyo5zYINB2USKfkTInCyVNImtGQty:1jNufeKFyUzYIWZSkTMJt3ty

    Score
    7/10
    persistence
    behavioral13behavioral14

    • Target

      VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfdvdec.dll

    • Size

      145KB

    • MD5

      0ec947764afbe65edbbd364bf89cf49e

    • SHA1

      56187f98f28c7bd654ca54cecdac101409a4c2f5

    • SHA256

      153358ccb7d06c7bcedc0eff14571e3366b05519d854180087e1bbfb4f57e3a6

    • SHA512

      9c79228032e5396580773f042693acfc94275cc8e403237f5c3693945f17c1929d0d06a82e8a193559cdb6381ba58731e641bf161421c91d5497d85fb851db53

    • SSDEEP

      3072:UjjFh6230y8vLh848jZp8zy+mVzElvVVpV817YDTrueg:KRMdvLi48VmHmVzmvfpV8Eae

    Score
    1/10
    behavioral15behavioral16

    • Target

      VSCodeUserSetup-x64-1.74.3/upl/locales/MemoryDiagnostic.dll

    • Size

      33KB

    • MD5

      14320e135e4d1832a5b167f3c8c91e33

    • SHA1

      1d2d9d9a348ff53d0fb3a28de015b03eaeff9a0c

    • SHA256

      208f1896e3939ca17d3e2de3e0ce38b83443d3a24f475a3e59fb7d2900ca8337

    • SHA512

      ed2bc4d9973c4423f924df696c8783e657abd74f4b418f796e44feae06d6f19e29b1d584dfcf25973dcd78e1ac8e1936e7e6cf8222fbd2b0f6b024627287a8c3

    • SSDEEP

      768:RL+UB0dQH6LQHqxVRgXCoSMIOSUtShlxlTQykqdw1W7MfnCNT3iK+7NIq9:RHB0dNLQHqPyXZIOZGxlTQykqdwCMfnB

    Score
    1/10
    behavioral17behavioral18

    • Target

      VSCodeUserSetup-x64-1.74.3/upl/locales/MessagingDataModel2.dll

    • Size

      1.0MB

    • MD5

      66f7d94678f6fed80c6b2ff642408d86

    • SHA1

      b9da7cd717c7730dfc9ce047507dd165ad1efc84

    • SHA256

      4e2153b7a82e1d1486eca39e9d77ac253b5ce091eb4b99ae631dbe2b65f93049

    • SHA512

      8be925191d11493ee6041db113853e50dac69d831b6b7d95fd8102affc8d2f4a98c159c9693ae747aa22abb0263d55ff4bc4c8e577a40174a6d55a0e4b7a69f4

    • SSDEEP

      12288:lUUn+EbQ1RrnnnSQLQwzcdQgwXYMGk7Mw5zSmSXfcoxYWzrwjDJ6a+froQs4hLNE:lU3/RrnnnSQ0nbCY9CSj0YDsZFW2

    Score
    3/10
    behavioral19behavioral20

    • Target

      VSCodeUserSetup-x64-1.74.3/upl/locales/docs/defaults.xml.example

    • Size

      2KB

    • MD5

      bc0afacd8028e222472bb32474db8148

    • SHA1

      826f5ec70527440c72e0be67cd4744d95f45f288

    • SHA256

      0d2e249a171a07a0b412c9f3eca041e772d530991d6333f9c96600c8c0935027

    • SHA512

      d65ac28f18ae9886f05f19feb209b6b26199c9353928f304ed705efa9e0632b66442fde52e6fcabdc81a9b3b42bb3a751df5e08929acea14ecbfb43294214664

    Score
    1/10
    behavioral21behavioral22

    • Target

      VSCodeUserSetup-x64-1.74.3/upl/locales/mcupdate_GenuineIntel.dll

    • Size

      2.5MB

    • MD5

      a719a641167956699558e032468ba229

    • SHA1

      44a88f80e44f3c35d2d8e0903a7eb3d394a5f7c7

    • SHA256

      fc1b45835dbd7cd9dac6e6daae5c00de5ef8c7335206f5c08ed1188624c9478a

    • SHA512

      231bda20f994c72b088b84fefdc56cc03c176781ad7771b376267ce7b3c8d233292ee8c5576c026b734974615f010057b92d5f73678135212cd302a878fdcac9

    • SSDEEP

      49152:wrrCBBuLnIjHKLiVA+g1JjNIEGMX7j1MH0ewdDmEkuId1lrOqjv:/BBuTaqL2UfGEH5eJEIdR

    Score
    1/10
    behavioral23behavioral24

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks