Overview

overview

10

Static

static

1

java_win64...va.exe

windows7-x64

10

java_win64...va.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    java_win64_n1wp7ux1va.zip

  • Size

    6.0MB

  • Sample

    230215-h683gsac8w

  • MD5

    87a4ab8a77ea800305e47ebdfc5db7ab

  • SHA1

    b857d253ffb680f470fa67602873d348e4de27ef

  • SHA256

    1136c9de55d2b906975ee695b073bb214e464f619d3ec0c4d2629ebd75a73485

  • SHA512

    02f345147eec3e754d50d78fe7b46a5b912fe09bca964c54349cd2b0185c29a2cd7eff7a729b401c7746f640d0b1bfbdb4cf3d4fb85848feee02d0caa71c5b17

  • SSDEEP

    98304:Lngh7MfXqskWDOt0pX+xmNtv6fyX8b8L9JcZ7Zxfti64qD8aKHo78C:RXqKDOt0pX+Ev6fc8bQcNQ6rJ7J

Score
10/10
aurorapersistencespywarestealer

Malware Config

Extracted

Family

aurora

C2

45.15.156.210:8081

Targets

    • Target

      java_win64_n1wp7ux1va.exe

    • Size

      270.4MB

    • MD5

      340c6577104ffaa3f46abc51ce55018a

    • SHA1

      8c7799428a45282dfafd342eaed5a78658915e8d

    • SHA256

      8fb273ba752804302bb87573a297953beabe4c99c05d21c7cb4825d9fff3cd0a

    • SHA512

      0be0d5896a77cbf6abd53fe0d98a5b0bbe2b9735e2f0f073fcf318e351f2b3ff644974936b734230a9245c420b73e3e72e8541ed18c10f6fe900c99094304f80

    • SSDEEP

      24576:SnjHnThJPWqliJ/y0A5RC5gxRJ3dCeiS3Lsy1xAyulQbgYNGErplM1SHg3bHWrKS:KjHnThJuqS/y0cCNgk+lKoEC9z1

    Score
    10/10
    aurorapersistencespywarestealer

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks