aurora | b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8

General

Target

cc1ea92ccab2960cedad3783799f56bb.exe
Size

7.5MB
MD5

cc1ea92ccab2960cedad3783799f56bb
SHA1

08c93ee33fc4c4486b710781da848acb259233c8
SHA256

b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8
SHA512

62c8b32f74e4ee0bd427c6025e51ae2b652184d5fb79ac41e0dcebc6bb1c2bebe1920f4e0edb21bbe21125fe6d0f418cfaef4b6b8dc5f5a2e0744cf560257049
SSDEEP

24576:mATqsCp2Y4QpiwrVFwPteCpZTbceUIqzjoLh+joixy//qE522wuZ3/cRDJRkAYq8:pqsCpx4RwrVaoCrgk+lK1EbMz1

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.94:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

cc1ea92ccab2960cedad3783799f56bb.exe

description pid process target process

PID 1208 set thread context of 1744 1208 cc1ea92ccab2960cedad3783799f56bb.exe cc1ea92ccab2960cedad3783799f56bb.exe

description	pid	process	target process
PID 1208 set thread context of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1656	wmic.exe
Token: SeSecurityPrivilege	1656	wmic.exe
Token: SeTakeOwnershipPrivilege	1656	wmic.exe
Token: SeLoadDriverPrivilege	1656	wmic.exe
Token: SeSystemProfilePrivilege	1656	wmic.exe
Token: SeSystemtimePrivilege	1656	wmic.exe
Token: SeProfSingleProcessPrivilege	1656	wmic.exe
Token: SeIncBasePriorityPrivilege	1656	wmic.exe
Token: SeCreatePagefilePrivilege	1656	wmic.exe
Token: SeBackupPrivilege	1656	wmic.exe
Token: SeRestorePrivilege	1656	wmic.exe
Token: SeShutdownPrivilege	1656	wmic.exe
Token: SeDebugPrivilege	1656	wmic.exe
Token: SeSystemEnvironmentPrivilege	1656	wmic.exe
Token: SeRemoteShutdownPrivilege	1656	wmic.exe
Token: SeUndockPrivilege	1656	wmic.exe
Token: SeManageVolumePrivilege	1656	wmic.exe
Token: 33	1656	wmic.exe
Token: 34	1656	wmic.exe
Token: 35	1656	wmic.exe
Token: SeIncreaseQuotaPrivilege	1656	wmic.exe
Token: SeSecurityPrivilege	1656	wmic.exe
Token: SeTakeOwnershipPrivilege	1656	wmic.exe
Token: SeLoadDriverPrivilege	1656	wmic.exe
Token: SeSystemProfilePrivilege	1656	wmic.exe
Token: SeSystemtimePrivilege	1656	wmic.exe
Token: SeProfSingleProcessPrivilege	1656	wmic.exe
Token: SeIncBasePriorityPrivilege	1656	wmic.exe
Token: SeCreatePagefilePrivilege	1656	wmic.exe
Token: SeBackupPrivilege	1656	wmic.exe
Token: SeRestorePrivilege	1656	wmic.exe
Token: SeShutdownPrivilege	1656	wmic.exe
Token: SeDebugPrivilege	1656	wmic.exe
Token: SeSystemEnvironmentPrivilege	1656	wmic.exe
Token: SeRemoteShutdownPrivilege	1656	wmic.exe
Token: SeUndockPrivilege	1656	wmic.exe
Token: SeManageVolumePrivilege	1656	wmic.exe
Token: 33	1656	wmic.exe
Token: 34	1656	wmic.exe
Token: 35	1656	wmic.exe
Token: SeIncreaseQuotaPrivilege	1640	WMIC.exe
Token: SeSecurityPrivilege	1640	WMIC.exe
Token: SeTakeOwnershipPrivilege	1640	WMIC.exe
Token: SeLoadDriverPrivilege	1640	WMIC.exe
Token: SeSystemProfilePrivilege	1640	WMIC.exe
Token: SeSystemtimePrivilege	1640	WMIC.exe
Token: SeProfSingleProcessPrivilege	1640	WMIC.exe
Token: SeIncBasePriorityPrivilege	1640	WMIC.exe
Token: SeCreatePagefilePrivilege	1640	WMIC.exe
Token: SeBackupPrivilege	1640	WMIC.exe
Token: SeRestorePrivilege	1640	WMIC.exe
Token: SeShutdownPrivilege	1640	WMIC.exe
Token: SeDebugPrivilege	1640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1640	WMIC.exe
Token: SeRemoteShutdownPrivilege	1640	WMIC.exe
Token: SeUndockPrivilege	1640	WMIC.exe
Token: SeManageVolumePrivilege	1640	WMIC.exe
Token: 33	1640	WMIC.exe
Token: 34	1640	WMIC.exe
Token: 35	1640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1640	WMIC.exe
Token: SeSecurityPrivilege	1640	WMIC.exe
Token: SeTakeOwnershipPrivilege	1640	WMIC.exe
Token: SeLoadDriverPrivilege	1640	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

cc1ea92ccab2960cedad3783799f56bb.execc1ea92ccab2960cedad3783799f56bb.execmd.execmd.exe

description	pid	process	target process
PID 1208 wrote to memory of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744	1208	cc1ea92ccab2960cedad3783799f56bb.exe	cc1ea92ccab2960cedad3783799f56bb.exe
PID 1744 wrote to memory of 1656	1744	cc1ea92ccab2960cedad3783799f56bb.exe	wmic.exe
PID 1744 wrote to memory of 1656	1744	cc1ea92ccab2960cedad3783799f56bb.exe	wmic.exe
PID 1744 wrote to memory of 1656	1744	cc1ea92ccab2960cedad3783799f56bb.exe	wmic.exe
PID 1744 wrote to memory of 568	1744	cc1ea92ccab2960cedad3783799f56bb.exe	cmd.exe
PID 1744 wrote to memory of 568	1744	cc1ea92ccab2960cedad3783799f56bb.exe	cmd.exe
PID 1744 wrote to memory of 568	1744	cc1ea92ccab2960cedad3783799f56bb.exe	cmd.exe
PID 568 wrote to memory of 1640	568	cmd.exe	WMIC.exe
PID 568 wrote to memory of 1640	568	cmd.exe	WMIC.exe
PID 568 wrote to memory of 1640	568	cmd.exe	WMIC.exe
PID 1744 wrote to memory of 900	1744	cc1ea92ccab2960cedad3783799f56bb.exe	cmd.exe
PID 1744 wrote to memory of 900	1744	cc1ea92ccab2960cedad3783799f56bb.exe	cmd.exe
PID 1744 wrote to memory of 900	1744	cc1ea92ccab2960cedad3783799f56bb.exe	cmd.exe
PID 900 wrote to memory of 836	900	cmd.exe	WMIC.exe
PID 900 wrote to memory of 836	900	cmd.exe	WMIC.exe
PID 900 wrote to memory of 836	900	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
"C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
"C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
7634ebd082abbba35a8e6a300ec83c51

SHA1
953666e70fbed932e4bed446f1d1e432781972b7

SHA256
792aa1b2f647c981a8778a35717809ff0783bc4b6c022e6ed049c1029f6c584f

SHA512
6f95e7c7c4548ad206294e5fc13f9ed0bad9476e5775ac4e06bd324c6e0a14382fcf5f604e5899084ee2f3733405716d60842f3393d5fa174902dbb055d40f3e

Download Submit
memory/1744-62-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-57-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-65-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-66-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-59-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-60-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-61-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/1744-54-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-103-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-56-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-58-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-67-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-68-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-69-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-70-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-55-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-102-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1744-64-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing