aurora

Sharing

Copy URL

Twitter E-mail

General

Target

python-3.11.2-amd64.zip
Size

9.1MB
Sample

230215-rrbywabh71
MD5

06b70af076015c0cef59c33426175f9a
SHA1

a4dbfacca9104f705f930c04a8198a8a54407dd9
SHA256

c2e71baefc4efbdb667f3a5c153be3d3d2521d4b856f5381a96a6a272bc21ee8
SHA512

96bafec5da007054101ac1dc4236edc7727ff34df9ac5417ab9869c8561b07f2aa36586f1342b287ddff0f2866065b69eca51dc3e34960047468e7d9edbac1fa
SSDEEP

196608:oRtXp30sEfV2thY+PF2AMpzRsEs0lg3MY+qKRwhfeX4tJR/dlt:s30dV+lPF2AMwEsd3cFw1eQxlt

Score

10^/10

Malware Config

Extracted

Family

aurora

185.106.93.135:8081

Targets

- Target
  
  python-3.11.2-amd64/pres/fr/FaceBootstrapAdapter.dll
- Size
  
  601KB
- MD5
  
  c8f565341078f648a837ffe79ef99638
- SHA1
  
  b670fc2b952429c7c2ee9232e882fea0fd66d4d3
- SHA256
  
  f338ae29684431cfddd946d8dfe1aa195a36ec71fa3539422177cec48ac760f6
- SHA512
  
  00ae73b9bb02c983d25ff14f9b357f478ff51a1b0fa668fd5a644567249a1896789afec4be6c6e77a037e0c1f77a5a1e7d5e41e5babd070270fa995332d9d4ad
- SSDEEP
  
  6144:cLQHwfP80CWXMjSi5I2KZyMK9sPOEDwNbqlVUojmRDe2bf4A7RKED0sk/OzX8QNP:cLQHwfE0CWXOhOxSnb8bmNm/0X8QaIZ
Score

3^/10
behavioral1 behavioral2
- Target
  
  python-3.11.2-amd64/pres/fr/FaceTrackerInternal.dll
- Size
  
  1.3MB
- MD5
  
  fd700183d3cb66dd9998afc2a7735428
- SHA1
  
  6d5be8ff0f322c63e5a076b08b719ecfc44d9571
- SHA256
  
  231b26e7e0536cfe42f48c4e6f4207756bf364da1617385cd5fdde05ce283b62
- SHA512
  
  47f83bbdc057c31726fe44223c7a14d905b3caf4de62b93e003e0dd8945333865d871dedbbc56edcc93bb1f6b8666b9e6a12e8a19b18a227b2c5b1573a0aade1
- SSDEEP
  
  24576:UGs/dhE+1dFvqZu1nvBMN+Au27MV5+JVJ1vG7Go0nnnnnnnnnnnnnnnnnnnnnnni:sdyGs+upJH1vG7GNnnnnnnnnnnnnnnni
Score

3^/10
behavioral3 behavioral4
- Target
  
  python-3.11.2-amd64/pres/fr/docs/perf/MapRouter.dll
- Size
  
  3.0MB
- MD5
  
  ed462036b7ec9d6d9d668f0f51443319
- SHA1
  
  1a0bc32ca9dd5b1451355e7733aecb330ece7a58
- SHA256
  
  81f1badd9345f296ae34809bc745ca4dfcde1def0dfd317076d5340981b5fb94
- SHA512
  
  b5f9efcab8686c439880af06d5b0d59da77b7f1fba72bdd97b5645b6bd0761ec069bbaf0d581837c939b7ce5765728210130d6c91c511be61b94267352f5c589
- SSDEEP
  
  49152:ZsffgkQDokXgBtPrrI8+yna8hSWvy9N4m7Zgygb22Bdxs63mkdV2z4ju7GKARnPM:VtwWzJ2BHtvn6Z
Score

3^/10
behavioral5 behavioral6
- Target
  
  python-3.11.2-amd64/pres/fr/docs/perf/XblAuthManager.dll
- Size
  
  1.0MB
- MD5
  
  b62c41e672194a919028786e4a480541
- SHA1
  
  1126775fa1ca75a7eb31d45fe084439d6b062d78
- SHA256
  
  1a5dce5775cd0a511f0edcb23669525590f0f94455c567ddb76dd15c8f25d347
- SHA512
  
  629fadbd1b8f1d0a39b99cdca2b51bce242a7e5973ad29dbd1ac216b76a7ff8ddbf439346ad9b84d3c98fbd98d3907bbb73db28b2199f6ccbdb97d4407a80173
- SSDEEP
  
  24576:T9sMfLNd1RBnhk5OL07WdvHiLmM2cyFGY:T9sMBd1RZhkodvHiLmM2cy1
Score

1^/10
behavioral7 behavioral8
- Target
  
  python-3.11.2-amd64/pres/fr/docs/perf/XpsPrint.dll
- Size
  
  1.4MB
- MD5
  
  952599e3d3f8ef464fdef1242c339f07
- SHA1
  
  cc568a48440d31bb1c3f55a3963d2e2f0bc2dc9c
- SHA256
  
  4eea5be064a0be852df48e71f5b091497b949b8be26decf27321f15272f2f2be
- SHA512
  
  4fa9a2e2ee71c15e2fba4d7156bf2556faae9dc82113fa681daaafb1dd010c66ff5769689a9faf5e57b615712989aabe607f2b5929586ba83c98a52959a5a765
- SSDEEP
  
  24576:mdSYMrn8OODiQHGglYdi59QV4dp6gFOMXMkkZfWzAp6nrAiH2N:SMrn8Oej2Qt6kOMXMPuzprY
Score

1^/10
behavioral10 behavioral9
- Target
  
  python-3.11.2-amd64/pres/fr/docs/perf/migstore.dll
- Size
  
  1.2MB
- MD5
  
  6edfa6fee4f91d989f0c95add39013f4
- SHA1
  
  c7e06bc42d0b9bb318aa604c7f8d009be3c4718a
- SHA256
  
  acb06cf520fa85c3929645c88d99ceb454bad6a9cb9642097b4b9b8a3504d4bf
- SHA512
  
  d6ff5655e9d434ea881072452a22d9441a3214d6ad08c16d5abc124ff569b0fb6b7deae0ffa8834486decec2247c92950d4d6baacf72ca87d45dda25ea6eb120
- SSDEEP
  
  12288:AEQz64gymq0bj97S1JzTtYZF1oj9JOx3CxGlEEbxdpU+:AEQO4gymq0bj97S1VGF1oBJORCxONo+
Score

1^/10
behavioral11 behavioral12
- Target
  
  python-3.11.2-amd64/pres/fr/docs/perf/xpsservices.dll
- Size
  
  2.7MB
- MD5
  
  f4e34ee10dc65ae33627a929f2a19e1c
- SHA1
  
  c30dfb8b55603e64c0108038f32d5b88d446fc1e
- SHA256
  
  f267f96958f02f26ccc06ffb3208c68fc6211093772c6b0796c4eed40642aa9a
- SHA512
  
  e7511117c3ae36a0487768b1b0a0ed94de0614c6ca55cf94a47702848bf951957946aca8add1679dbb32d67d610914a6b7778ba709d7e147c52fc2786d49e211
- SSDEEP
  
  49152:445KDmUD2IkY9PWlhwFTezoM2zoMqLU8teiRzMXMdSv5u2+zxGZQ7m8h:oo88t4P+zxX7mW
Score

1^/10
behavioral13 behavioral14
- Target
  
  python-3.11.2-amd64/pres/fr/dons/mig/msv/MSVidCtl.dll
- Size
  
  3.3MB
- MD5
  
  6a93c400f7d5bcf8799c0506531f7d12
- SHA1
  
  f8ecd93adfc87ae76970656bd15af3a960a83428
- SHA256
  
  6679297f7e7f17ef37f48fa25f070d78e76324d167aa8b961d85327321e58754
- SHA512
  
  209476a382bce5b53762b52c5b9f3f1bcb0d1f3b3763d1c8aa3ed6c1af838d4b442ffd7a40eb851a6c36a462031ee5fda5617dae5348426f7de3ef73b2aaec6d
- SSDEEP
  
  49152:GRVfgoQrkv0BzBQLW6Ki8gT3lZhrnxySgnpO91MmIusURfvxmtdl:GRVfgoQrkv0BVi8gT3r9xyS1jzfvx
Score

1^/10
behavioral15 behavioral16
- Target
  
  python-3.11.2-amd64/pres/fr/dons/mig/msv/XpsPrint.dll
- Size
  
  1.4MB
- MD5
  
  952599e3d3f8ef464fdef1242c339f07
- SHA1
  
  cc568a48440d31bb1c3f55a3963d2e2f0bc2dc9c
- SHA256
  
  4eea5be064a0be852df48e71f5b091497b949b8be26decf27321f15272f2f2be
- SHA512
  
  4fa9a2e2ee71c15e2fba4d7156bf2556faae9dc82113fa681daaafb1dd010c66ff5769689a9faf5e57b615712989aabe607f2b5929586ba83c98a52959a5a765
- SSDEEP
  
  24576:mdSYMrn8OODiQHGglYdi59QV4dp6gFOMXMkkZfWzAp6nrAiH2N:SMrn8Oej2Qt6kOMXMPuzprY
Score

1^/10
behavioral17 behavioral18
- Target
  
  python-3.11.2-amd64/pres/fr/dons/mig/msv/winsetup.dll
- Size
  
  3.5MB
- MD5
  
  b6a2e94c56a141b004e400358e72ce79
- SHA1
  
  fe3a749812c0014d7810b4bc5e2f849384cd9e31
- SHA256
  
  2b40132fa4e1c3de5e70d57935e2c99de437f69ae934a70243dae9a0ce3ca6c2
- SHA512
  
  a31dce366e5d1a53821ea4db01d3f7b1924be9bf5c8e0ab74aadf48c1b6f85d4c7656eecfc0bc9cce915b765589b4bb9c324dce21ae5eae1f4f8774bb6b282a3
- SSDEEP
  
  49152:NHSWbyqeCs3pbW5O/hPMiyYbR6BjG0eFHt6Hfp9pt8/s2tyml418:I/6dYbR6e69ncymz
Score

1^/10
behavioral19 behavioral20
- Target
  
  python-3.11.2-amd64/pres/fr/wbemcore.dll
- Size
  
  1.9MB
- MD5
  
  2f82104b7c628393c8fc32970221edb2
- SHA1
  
  322cc8128c20d2ff3cee1a61e901c50e70ef18cb
- SHA256
  
  f0dddd1348276d16b8989c2c92ce8e1cabeaccd654bbc9889fd190f9cfdf98d5
- SHA512
  
  9939b8abea3189839fd522a00d0e1a7f9ce2fcc0bb0649b7dddde8be829cdcf75da1f571744c2594b6c837def6a906c3b55234fcfc789ffb4c945be53f1a80bf
- SSDEEP
  
  49152:AUp36LQ32LIDHFzhIGaky59jnDBP44Ggw:0E32LITlaky59jnD1G
Score

7^/10

persistence
- Registers COM server for autorun
  persistence
behavioral21 behavioral22
- Target
  
  python-3.11.2-amd64/pres/ind/app/ProvProvider.dll
- Size
  
  753KB
- MD5
  
  70c34975e700a9d7e120aaecf9d8f14b
- SHA1
  
  e24d47f025c0ec0f60ec187bfc664e9347dc2c9c
- SHA256
  
  a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7
- SHA512
  
  7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260
- SSDEEP
  
  12288:X/ck9AStILSQfhJI1UOAibcu978/ftYEGVRU8rbcgWte6QP:PckaLSQpJI1UeUKEKFfetTQP
Score

1^/10
behavioral23 behavioral24
- Target
  
  python-3.11.2-amd64/pres/ind/app/TransmogProvider.dll
- Size
  
  1.3MB
- MD5
  
  8566a733bcca087211a6090948fdf5e6
- SHA1
  
  4b4924bd91e891b095e42d679a949214b918f810
- SHA256
  
  3edccab42b30d7a766913a49716ef0b5bd32ccd28576b11a521fc9c70b7bd696
- SHA512
  
  a91c35df789bbf6880972d6ea620be3c817f7883ed89f22139e9443692df3d4aae97bcfad9997e252b42d7e8d87aa15d263db1d8f5acabf60866d5bcc76ae433
- SSDEEP
  
  6144:8TIbdFF8/b4WK9zG9rDAs+7x2Bfc3zmuzFvxJA/8KomOQaCyNu0OONLUJnNckM3v:8TSQ/b4W2FYfcD9i22aWA3BzwrEfUq
Score

1^/10
behavioral25 behavioral26
- Target
  
  python-3.11.2-amd64/python-3.11.2-amd64.exe
- Size
  
  715.8MB
- MD5
  
  a42b7625c148fbde402d6b844ccbfdc2
- SHA1
  
  f464ef64fa2589b2048cfb50ae5ccc0ea48c8c08
- SHA256
  
  58a4ebf92461eecd3ba5aa6fb1f5ad1a1ea721b288236a2aa3bf6e29b0138b6d
- SHA512
  
  c4b5173ad48521c74579f98ada171f2fd8239dab8316ab6c3f5bd094504e603313b935a5229bb9d4c91885d3e48062c9584dc9eb15ee31fd5311852282919325
- SSDEEP
  
  3072:XahKyd2n31hv15DAoieXpw7vbB5jaqjwxeRvaDW:XahOzfie5w795jLj1RyW
Score

10^/10

aurora persistence stealer spyware
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral27 behavioral28

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Registers COM server for autorun

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28