General

  • Target

    C4Loader.rar

  • Size

    127KB

  • Sample

    230214-1gmgasgd48

  • MD5

    29ca3b684fb4d4a1f80f573834cf1989

  • SHA1

    e83bd0d6009eaf12b1f313470b8128a72a6efc6b

  • SHA256

    af022913cceb5218316cd2880e585c1e90a1da97ec393f40eeb49ed0c368247d

  • SHA512

    b51da78bd5658035e5fe2985d32ddc9850882066ba8746745dc6fc7bac7b3a7a1a3362596ffb8ab95f0defb2798856ec6e8c8bdda34b0f99e61aa9fb5d669be5

  • SSDEEP

    3072:tyCuV8YFkbf+ZiJFRqgzH2LDK5Ar/MC7H1wlC3C4Aq7x:7YF/ZijzWnK2YCb1w43lBx

Malware Config

Extracted

Family

aurora

C2

107.182.129.73:8081

Targets

    • Target

      C4Loader.rar

    • Size

      127KB

    • MD5

      29ca3b684fb4d4a1f80f573834cf1989

    • SHA1

      e83bd0d6009eaf12b1f313470b8128a72a6efc6b

    • SHA256

      af022913cceb5218316cd2880e585c1e90a1da97ec393f40eeb49ed0c368247d

    • SHA512

      b51da78bd5658035e5fe2985d32ddc9850882066ba8746745dc6fc7bac7b3a7a1a3362596ffb8ab95f0defb2798856ec6e8c8bdda34b0f99e61aa9fb5d669be5

    • SSDEEP

      3072:tyCuV8YFkbf+ZiJFRqgzH2LDK5Ar/MC7H1wlC3C4Aq7x:7YF/ZijzWnK2YCb1w43lBx

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks