aurora | 40a3561b321f01b715274144fb75d79e4d3437cf10dcee86818b9a02f8849d20

General

Target

innosetup-6.2.1.exe
Size

7.4MB
MD5

5253a5a1631e8dfec0d91393656071c8
SHA1

13db3be759b3d1746f08c7e40a64e06b840d5fb9
SHA256

40a3561b321f01b715274144fb75d79e4d3437cf10dcee86818b9a02f8849d20
SHA512

42d1591f7106e61ed3892e377e4b265cafc14c28fb3c61fa4578b6d5c2d78ad3a840c9a9c1436f2c23e9200df38b1084a7088ca62bb3265122e52db0dea61dc1
SSDEEP

24576:x94s6V9vqyQT0iAw7vyc6CD8aH465hV27+TYF5otaz4ihmfg0dGRX8N1f+2b39Yh:x9h6V9vq/AwryFCJCh1z1

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.71:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

innosetup-6.2.1.exe

description pid process target process

PID 3816 set thread context of 2080 3816 innosetup-6.2.1.exe innosetup-6.2.1.exe

description	pid	process	target process
PID 3816 set thread context of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4740	wmic.exe
Token: SeSecurityPrivilege	4740	wmic.exe
Token: SeTakeOwnershipPrivilege	4740	wmic.exe
Token: SeLoadDriverPrivilege	4740	wmic.exe
Token: SeSystemProfilePrivilege	4740	wmic.exe
Token: SeSystemtimePrivilege	4740	wmic.exe
Token: SeProfSingleProcessPrivilege	4740	wmic.exe
Token: SeIncBasePriorityPrivilege	4740	wmic.exe
Token: SeCreatePagefilePrivilege	4740	wmic.exe
Token: SeBackupPrivilege	4740	wmic.exe
Token: SeRestorePrivilege	4740	wmic.exe
Token: SeShutdownPrivilege	4740	wmic.exe
Token: SeDebugPrivilege	4740	wmic.exe
Token: SeSystemEnvironmentPrivilege	4740	wmic.exe
Token: SeRemoteShutdownPrivilege	4740	wmic.exe
Token: SeUndockPrivilege	4740	wmic.exe
Token: SeManageVolumePrivilege	4740	wmic.exe
Token: 33	4740	wmic.exe
Token: 34	4740	wmic.exe
Token: 35	4740	wmic.exe
Token: 36	4740	wmic.exe
Token: SeIncreaseQuotaPrivilege	4740	wmic.exe
Token: SeSecurityPrivilege	4740	wmic.exe
Token: SeTakeOwnershipPrivilege	4740	wmic.exe
Token: SeLoadDriverPrivilege	4740	wmic.exe
Token: SeSystemProfilePrivilege	4740	wmic.exe
Token: SeSystemtimePrivilege	4740	wmic.exe
Token: SeProfSingleProcessPrivilege	4740	wmic.exe
Token: SeIncBasePriorityPrivilege	4740	wmic.exe
Token: SeCreatePagefilePrivilege	4740	wmic.exe
Token: SeBackupPrivilege	4740	wmic.exe
Token: SeRestorePrivilege	4740	wmic.exe
Token: SeShutdownPrivilege	4740	wmic.exe
Token: SeDebugPrivilege	4740	wmic.exe
Token: SeSystemEnvironmentPrivilege	4740	wmic.exe
Token: SeRemoteShutdownPrivilege	4740	wmic.exe
Token: SeUndockPrivilege	4740	wmic.exe
Token: SeManageVolumePrivilege	4740	wmic.exe
Token: 33	4740	wmic.exe
Token: 34	4740	wmic.exe
Token: 35	4740	wmic.exe
Token: 36	4740	wmic.exe
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe
Token: 33	4340	WMIC.exe
Token: 34	4340	WMIC.exe
Token: 35	4340	WMIC.exe
Token: 36	4340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

innosetup-6.2.1.exeinnosetup-6.2.1.execmd.execmd.exe

description	pid	process	target process
PID 3816 wrote to memory of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe
PID 3816 wrote to memory of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe
PID 3816 wrote to memory of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe
PID 3816 wrote to memory of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe
PID 3816 wrote to memory of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe
PID 3816 wrote to memory of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe
PID 3816 wrote to memory of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe
PID 3816 wrote to memory of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe
PID 3816 wrote to memory of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe
PID 3816 wrote to memory of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe
PID 3816 wrote to memory of 2080	3816	innosetup-6.2.1.exe	innosetup-6.2.1.exe
PID 2080 wrote to memory of 4740	2080	innosetup-6.2.1.exe	wmic.exe
PID 2080 wrote to memory of 4740	2080	innosetup-6.2.1.exe	wmic.exe
PID 2080 wrote to memory of 2384	2080	innosetup-6.2.1.exe	cmd.exe
PID 2080 wrote to memory of 2384	2080	innosetup-6.2.1.exe	cmd.exe
PID 2384 wrote to memory of 4340	2384	cmd.exe	WMIC.exe
PID 2384 wrote to memory of 4340	2384	cmd.exe	WMIC.exe
PID 2080 wrote to memory of 4696	2080	innosetup-6.2.1.exe	cmd.exe
PID 2080 wrote to memory of 4696	2080	innosetup-6.2.1.exe	cmd.exe
PID 4696 wrote to memory of 100	4696	cmd.exe	WMIC.exe
PID 4696 wrote to memory of 100	4696	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
b2446d155f77cf70a33bb0c25172fa3f

SHA1
c20d68dad9e872b4607a5677c4851f863c28daf7

SHA256
0faba9ea9b88b2982372c66b2eea8d6a5d99fc565c37db53ba6a4075619cfffb

SHA512
5d38e78c38f64a989570b431f7d2ef660c0678b3dc25baf3244499308535492de861a244e262720e36eeb4f8127eca62679c0b0383350c302783246191e82654

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
53bf804f75123ed2339305be1d298398

SHA1
33a337e3e219da8ecd237b44fbcaf4864124a012

SHA256
7d6155b8b6c9a78a70af6be7df47f1dac5f40215f4a6ae431d1ee27c021888f8

SHA512
7611c75031b77b6098f1e70c1b27e0a95f259616f8b2f8acc734e371998badf321c10c9fb8669d61615673f0fb65787f0398966bda38cd430e009c83df00e16e

Download Submit
memory/2080-133-0x0000000000440000-0x000000000079D000-memory.dmp

Filesize
3.4MB

Download
memory/2080-139-0x0000000000440000-0x000000000079D000-memory.dmp

Filesize
3.4MB

Download
memory/2080-145-0x0000000000440000-0x000000000079D000-memory.dmp

Filesize
3.4MB

Download
memory/2080-146-0x0000000000440000-0x000000000079D000-memory.dmp

Filesize
3.4MB

Download
memory/2080-147-0x0000000000440000-0x000000000079D000-memory.dmp

Filesize
3.4MB

Download
memory/2080-148-0x0000000000440000-0x000000000079D000-memory.dmp

Filesize
3.4MB

Download
memory/2080-149-0x0000000000440000-0x000000000079D000-memory.dmp

Filesize
3.4MB

Download
memory/2080-150-0x0000000000440000-0x000000000079D000-memory.dmp

Filesize
3.4MB

Download
memory/2080-151-0x0000000000440000-0x000000000079D000-memory.dmp

Filesize
3.4MB

Download
memory/2080-204-0x0000000000440000-0x000000000079D000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing