Malware Analysis Report

2024-11-30 23:05

Sample ID 230222-1xtkjsff6w
Target Vega X.zip
SHA256 546496eab1ffb0b28bd052c681d7a4b161b518bccead48c2427e88ac4efff451
Tags
aurora spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

546496eab1ffb0b28bd052c681d7a4b161b518bccead48c2427e88ac4efff451

Threat Level: Known bad

The file Vega X.zip was found to be: Known bad.

Malicious Activity Summary

aurora spyware stealer

Aurora family

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-22 22:03

Signatures

Aurora family

aurora

Analysis: behavioral7

Detonation Overview

Submitted

2023-02-22 22:02

Reported

2023-02-22 22:06

Platform

win10v2004-20230220-en

Max time kernel

50s

Max time network

71s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themes.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themes.dll,#1

Network

Country Destination Domain Proto
US 20.189.173.4:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-02-22 22:02

Reported

2023-02-22 22:06

Platform

win10v2004-20230220-en

Max time kernel

67s

Max time network

92s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Update.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Update.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 13.89.178.27:443 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-02-22 22:02

Reported

2023-02-22 22:06

Platform

win10v2004-20230221-en

Max time kernel

81s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vega X.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vega X.exe

"C:\Users\Admin\AppData\Local\Temp\Vega X.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
RU 185.106.93.132:8081 tcp
US 8.8.8.8:53 132.93.106.185.in-addr.arpa udp
IE 20.50.80.209:443 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 209.197.3.8:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 46988a922937a39036d6b71e62d0f966
SHA1 4a997f2a0360274ec7990aac156870a5a7030665
SHA256 5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6
SHA512 dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 18da5c19d469f921ff9d44f1f17de97b
SHA1 bef606053494e1f516431d40f2aca29cf1deeb20
SHA256 662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0
SHA512 9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d

Analysis: behavioral6

Detonation Overview

Submitted

2023-02-22 22:02

Reported

2023-02-22 22:06

Platform

win10v2004-20230220-en

Max time kernel

87s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Textures.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Textures.dll,#1

Network

Country Destination Domain Proto
NL 173.223.113.131:80 www.microsoft.com tcp
US 20.189.173.9:443 tcp
US 8.8.8.8:53 11.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-02-22 22:02

Reported

2023-02-22 22:06

Platform

win10v2004-20230220-en

Max time kernel

98s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\exploit-main.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\exploit-main.dll,#1

Network

Country Destination Domain Proto
NL 8.238.177.126:80 tcp
US 52.168.112.66:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 8.238.177.126:80 tcp
NL 8.238.177.126:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 8.238.177.126:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-22 22:02

Reported

2023-02-22 22:06

Platform

win10v2004-20230220-en

Max time kernel

86s

Max time network

115s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll,#1

Network

Country Destination Domain Proto
NL 84.53.175.11:80 tcp
NL 84.53.175.11:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-22 22:02

Reported

2023-02-22 22:06

Platform

win10v2004-20230220-en

Max time kernel

73s

Max time network

83s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameDev.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GameDev.dll,#1

Network

Country Destination Domain Proto
FR 51.11.192.49:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-02-22 22:02

Reported

2023-02-22 22:06

Platform

win10v2004-20230220-en

Max time kernel

60s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\OpenSource.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\OpenSource.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 173.223.113.131:80 www.microsoft.com tcp
US 8.8.8.8:53 131.113.223.173.in-addr.arpa udp
US 20.42.65.90:443 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-02-22 22:02

Reported

2023-02-22 22:06

Platform

win10v2004-20230221-en

Max time kernel

89s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ReadME.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ReadME.dll,#1

Network

Country Destination Domain Proto
US 104.208.16.90:443 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-02-22 22:02

Reported

2023-02-22 22:06

Platform

win10v2004-20230220-en

Max time kernel

96s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Setup.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Setup.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

N/A