Overview

overview

10

Static

static

1

C4Loader.exe

windows7-x64

10

C4Loader.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C4Loader.exe

  • Size

    1023KB

  • Sample

    230215-s6292scd2x

  • MD5

    58085125085deb901f7a9dc84878dc83

  • SHA1

    4449658339d5ac9b6548547d4796a91d3e4988fd

  • SHA256

    f17169b0899deeded527fc3844abf46b7f14af1643568fcd95c04a69205282b6

  • SHA512

    5b05bc767d56f71305b8695dec76a9d14d7d70c703bfa5426ec5e40238a6c54bb570e752ed060aba09064f70792bc936150304ed3e9fcc86ada54cb6c2e8ee2a

  • SSDEEP

    3072:sb+Ukz9+SIRWDWTZjBIEIqjs6MsYkkblHz54uAg0FujDQ/Sv3x+F1I02:satETNjKEI4IsZkjAOsiB+F1I/

Score
10/10
auroraevasionstealer

Malware Config

Extracted

Family

aurora

C2

107.182.129.73:8081

Targets

    • Target

      C4Loader.exe

    • Size

      1023KB

    • MD5

      58085125085deb901f7a9dc84878dc83

    • SHA1

      4449658339d5ac9b6548547d4796a91d3e4988fd

    • SHA256

      f17169b0899deeded527fc3844abf46b7f14af1643568fcd95c04a69205282b6

    • SHA512

      5b05bc767d56f71305b8695dec76a9d14d7d70c703bfa5426ec5e40238a6c54bb570e752ed060aba09064f70792bc936150304ed3e9fcc86ada54cb6c2e8ee2a

    • SSDEEP

      3072:sb+Ukz9+SIRWDWTZjBIEIqjs6MsYkkblHz54uAg0FujDQ/Sv3x+F1I02:satETNjKEI4IsZkjAOsiB+F1I/

    Score
    10/10
    auroraevasionstealer

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Modifies security service

      evasion

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Impair Defenses

1
T1562

Scripting

1
T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks