aurora | 40a3561b321f01b715274144fb75d79e4d3437cf10dcee86818b9a02f8849d20 | Triage

Sharing

General

Target

innosetup-6.2.1.exe
Size

7.4MB
Sample

230226-lerkxage45
MD5

5253a5a1631e8dfec0d91393656071c8
SHA1

13db3be759b3d1746f08c7e40a64e06b840d5fb9
SHA256

40a3561b321f01b715274144fb75d79e4d3437cf10dcee86818b9a02f8849d20
SHA512

42d1591f7106e61ed3892e377e4b265cafc14c28fb3c61fa4578b6d5c2d78ad3a840c9a9c1436f2c23e9200df38b1084a7088ca62bb3265122e52db0dea61dc1
SSDEEP

24576:x94s6V9vqyQT0iAw7vyc6CD8aH465hV27+TYF5otaz4ihmfg0dGRX8N1f+2b39Yh:x9h6V9vq/AwryFCJCh1z1

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.71:8081

Targets

- Target
  
  innosetup-6.2.1.exe
- Size
  
  7.4MB
- MD5
  
  5253a5a1631e8dfec0d91393656071c8
- SHA1
  
  13db3be759b3d1746f08c7e40a64e06b840d5fb9
- SHA256
  
  40a3561b321f01b715274144fb75d79e4d3437cf10dcee86818b9a02f8849d20
- SHA512
  
  42d1591f7106e61ed3892e377e4b265cafc14c28fb3c61fa4578b6d5c2d78ad3a840c9a9c1436f2c23e9200df38b1084a7088ca62bb3265122e52db0dea61dc1
- SSDEEP
  
  24576:x94s6V9vqyQT0iAw7vyc6CD8aH465hV27+TYF5otaz4ihmfg0dGRX8N1f+2b39Yh:x9h6V9vq/AwryFCJCh1z1
Score

10^/10

aurora stealer spyware
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

auroraspywarestealer