aurora | be393666930fcd6564cec396d8b9732f34f6fdb9cdbd2283f21723a060ddeff3 | Triage

Sharing

General

Target

innosetup-6.2.1.zip
Size

5.0MB
Sample

230226-k96smsgc5w
MD5

3f31bd210e7dfd03d5068289b6dd4038
SHA1

4a2d098fe1fc26796b31161bcb5c9d7c1f4f9aa4
SHA256

be393666930fcd6564cec396d8b9732f34f6fdb9cdbd2283f21723a060ddeff3
SHA512

1c4823b159a3c7402a15ccf3dfb6e3389ee021a45a648a702771ec0d0a0dfa92f2c9970fe1455f9172a60f062a2493b9b50800996871fa590528c9ecf5f777eb
SSDEEP

98304:+yKr29KVJT2Zbq7K+uldELn0uNjN/aEKKKrYroE:+brVp4bql0uNjAEiIoE

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.71:8081

Targets

- Target
  
  innosetup-6.2.1.exe
- Size
  
  807.4MB
- MD5
  
  0257fe004e87f99031fde2dcbec1f727
- SHA1
  
  e00a5c6d34d7bc6e9d663b88230d86de16abc8a1
- SHA256
  
  d5bb2d356876be75ddc3a2c26172acd352dac04c9b49eea6695b05b9ddba7495
- SHA512
  
  b6d81b126b39bb2eb3829eda0fc00eff25900c965a3a046cef63bf14f102c5480cff4c31482d93e63ae4779c73087f4541e8092597b85e73bb49973c3cfc412b
- SSDEEP
  
  24576:x94s6V9vqyQT0iAw7vyc6CD8aH465hV27+TYF5otaz4ihmfg0dGRX8N1f+2b39Yh:x9h6V9vq/AwryFCJCh1z1
Score

10^/10

aurora spyware stealer
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

auroraspywarestealer

behavioral2