aurora | b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8

General

Target

b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
Size

7.5MB
MD5

cc1ea92ccab2960cedad3783799f56bb
SHA1

08c93ee33fc4c4486b710781da848acb259233c8
SHA256

b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8
SHA512

62c8b32f74e4ee0bd427c6025e51ae2b652184d5fb79ac41e0dcebc6bb1c2bebe1920f4e0edb21bbe21125fe6d0f418cfaef4b6b8dc5f5a2e0744cf560257049
SSDEEP

24576:mATqsCp2Y4QpiwrVFwPteCpZTbceUIqzjoLh+joixy//qE522wuZ3/cRDJRkAYq8:pqsCpx4RwrVaoCrgk+lK1EbMz1

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.94:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe

description	pid	process	target process
PID 4452 set thread context of 5028	4452	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4552	wmic.exe
Token: SeSecurityPrivilege	4552	wmic.exe
Token: SeTakeOwnershipPrivilege	4552	wmic.exe
Token: SeLoadDriverPrivilege	4552	wmic.exe
Token: SeSystemProfilePrivilege	4552	wmic.exe
Token: SeSystemtimePrivilege	4552	wmic.exe
Token: SeProfSingleProcessPrivilege	4552	wmic.exe
Token: SeIncBasePriorityPrivilege	4552	wmic.exe
Token: SeCreatePagefilePrivilege	4552	wmic.exe
Token: SeBackupPrivilege	4552	wmic.exe
Token: SeRestorePrivilege	4552	wmic.exe
Token: SeShutdownPrivilege	4552	wmic.exe
Token: SeDebugPrivilege	4552	wmic.exe
Token: SeSystemEnvironmentPrivilege	4552	wmic.exe
Token: SeRemoteShutdownPrivilege	4552	wmic.exe
Token: SeUndockPrivilege	4552	wmic.exe
Token: SeManageVolumePrivilege	4552	wmic.exe
Token: 33	4552	wmic.exe
Token: 34	4552	wmic.exe
Token: 35	4552	wmic.exe
Token: 36	4552	wmic.exe
Token: SeIncreaseQuotaPrivilege	4552	wmic.exe
Token: SeSecurityPrivilege	4552	wmic.exe
Token: SeTakeOwnershipPrivilege	4552	wmic.exe
Token: SeLoadDriverPrivilege	4552	wmic.exe
Token: SeSystemProfilePrivilege	4552	wmic.exe
Token: SeSystemtimePrivilege	4552	wmic.exe
Token: SeProfSingleProcessPrivilege	4552	wmic.exe
Token: SeIncBasePriorityPrivilege	4552	wmic.exe
Token: SeCreatePagefilePrivilege	4552	wmic.exe
Token: SeBackupPrivilege	4552	wmic.exe
Token: SeRestorePrivilege	4552	wmic.exe
Token: SeShutdownPrivilege	4552	wmic.exe
Token: SeDebugPrivilege	4552	wmic.exe
Token: SeSystemEnvironmentPrivilege	4552	wmic.exe
Token: SeRemoteShutdownPrivilege	4552	wmic.exe
Token: SeUndockPrivilege	4552	wmic.exe
Token: SeManageVolumePrivilege	4552	wmic.exe
Token: 33	4552	wmic.exe
Token: 34	4552	wmic.exe
Token: 35	4552	wmic.exe
Token: 36	4552	wmic.exe
Token: SeIncreaseQuotaPrivilege	3604	WMIC.exe
Token: SeSecurityPrivilege	3604	WMIC.exe
Token: SeTakeOwnershipPrivilege	3604	WMIC.exe
Token: SeLoadDriverPrivilege	3604	WMIC.exe
Token: SeSystemProfilePrivilege	3604	WMIC.exe
Token: SeSystemtimePrivilege	3604	WMIC.exe
Token: SeProfSingleProcessPrivilege	3604	WMIC.exe
Token: SeIncBasePriorityPrivilege	3604	WMIC.exe
Token: SeCreatePagefilePrivilege	3604	WMIC.exe
Token: SeBackupPrivilege	3604	WMIC.exe
Token: SeRestorePrivilege	3604	WMIC.exe
Token: SeShutdownPrivilege	3604	WMIC.exe
Token: SeDebugPrivilege	3604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3604	WMIC.exe
Token: SeRemoteShutdownPrivilege	3604	WMIC.exe
Token: SeUndockPrivilege	3604	WMIC.exe
Token: SeManageVolumePrivilege	3604	WMIC.exe
Token: 33	3604	WMIC.exe
Token: 34	3604	WMIC.exe
Token: 35	3604	WMIC.exe
Token: 36	3604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3604	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exeb5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.execmd.execmd.exe

description	pid	process	target process
PID 4452 wrote to memory of 5028	4452	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
PID 4452 wrote to memory of 5028	4452	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
PID 4452 wrote to memory of 5028	4452	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
PID 4452 wrote to memory of 5028	4452	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
PID 4452 wrote to memory of 5028	4452	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
PID 4452 wrote to memory of 5028	4452	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
PID 4452 wrote to memory of 5028	4452	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
PID 4452 wrote to memory of 5028	4452	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
PID 4452 wrote to memory of 5028	4452	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
PID 4452 wrote to memory of 5028	4452	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
PID 5028 wrote to memory of 4552	5028	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	wmic.exe
PID 5028 wrote to memory of 4552	5028	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	wmic.exe
PID 5028 wrote to memory of 4932	5028	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	cmd.exe
PID 5028 wrote to memory of 4932	5028	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	cmd.exe
PID 4932 wrote to memory of 3604	4932	cmd.exe	WMIC.exe
PID 4932 wrote to memory of 3604	4932	cmd.exe	WMIC.exe
PID 5028 wrote to memory of 3516	5028	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	cmd.exe
PID 5028 wrote to memory of 3516	5028	b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe	cmd.exe
PID 3516 wrote to memory of 3708	3516	cmd.exe	WMIC.exe
PID 3516 wrote to memory of 3708	3516	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
"C:\Users\Admin\AppData\Local\Temp\b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe
"C:\Users\Admin\AppData\Local\Temp\b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:3708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
72KB

MD5
2b8e1b75b4d4fdf0c640838191ac3946

SHA1
dfac012ccaa015f6a9ec5bd1c55ffa7b8074fb7f

SHA256
17a69481ffd684f025b0fe6b0f22529bd8454c49915e580da43fcb08a0c56e4e

SHA512
3c4de03250813dc78b772cc7e3246ac2726c37fae00844bfceda683e05506b53ba7ea95a06e2929e8ec736ccd50a9138e9f6e3c80980ebde5ed7ac66f06cc038

Download Submit
memory/5028-120-0x00000000012E0000-0x000000000163C000-memory.dmp

Filesize
3.4MB

Download
memory/5028-125-0x00000000012E0000-0x000000000163C000-memory.dmp

Filesize
3.4MB

Download
memory/5028-130-0x00000000012E0000-0x000000000163C000-memory.dmp

Filesize
3.4MB

Download
memory/5028-131-0x00000000012E0000-0x000000000163C000-memory.dmp

Filesize
3.4MB

Download
memory/5028-132-0x00000000012E0000-0x000000000163C000-memory.dmp

Filesize
3.4MB

Download
memory/5028-133-0x00000000012E0000-0x000000000163C000-memory.dmp

Filesize
3.4MB

Download
memory/5028-134-0x00000000012E0000-0x000000000163C000-memory.dmp

Filesize
3.4MB

Download
memory/5028-135-0x00000000012E0000-0x000000000163C000-memory.dmp

Filesize
3.4MB

Download
memory/5028-136-0x00000000012E0000-0x000000000163C000-memory.dmp

Filesize
3.4MB

Download
memory/5028-168-0x00000000012E0000-0x000000000163C000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads