aurora | 5e61f677c9d9b6f3d99207aaef0ed7e97b83f7f2bcad9fa6bfe9b448211e3962

General

Target

2297fd847480edf06c8349f11c9a18c4.bin.exe
Size

4.1MB
MD5

2297fd847480edf06c8349f11c9a18c4
SHA1

d8b28b25b698a2a2cab51f62aa314836eb8a9539
SHA256

5e61f677c9d9b6f3d99207aaef0ed7e97b83f7f2bcad9fa6bfe9b448211e3962
SHA512

2e49ff44d4e8d3af5a4993ded4be8e84d7eae238ea57e00abb149c2548890333d787dab38dcf99f8a6e86a9d9df4197fc87a0a3789aab2f4f2bbe6cfdcd4847f
SSDEEP

98304:Py1WKANUQ46n5qt8O2UpxSoovsE+7fyruJHCdd:c7Q4Yqt3bphokE+7fyCJHC

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

45.15.157.130:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

2297fd847480edf06c8349f11c9a18c4.bin.exe

description pid process target process

PID 1340 set thread context of 1772 1340 2297fd847480edf06c8349f11c9a18c4.bin.exe InstallUtil.exe

description	pid	process	target process
PID 1340 set thread context of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1948	wmic.exe
Token: SeSecurityPrivilege	1948	wmic.exe
Token: SeTakeOwnershipPrivilege	1948	wmic.exe
Token: SeLoadDriverPrivilege	1948	wmic.exe
Token: SeSystemProfilePrivilege	1948	wmic.exe
Token: SeSystemtimePrivilege	1948	wmic.exe
Token: SeProfSingleProcessPrivilege	1948	wmic.exe
Token: SeIncBasePriorityPrivilege	1948	wmic.exe
Token: SeCreatePagefilePrivilege	1948	wmic.exe
Token: SeBackupPrivilege	1948	wmic.exe
Token: SeRestorePrivilege	1948	wmic.exe
Token: SeShutdownPrivilege	1948	wmic.exe
Token: SeDebugPrivilege	1948	wmic.exe
Token: SeSystemEnvironmentPrivilege	1948	wmic.exe
Token: SeRemoteShutdownPrivilege	1948	wmic.exe
Token: SeUndockPrivilege	1948	wmic.exe
Token: SeManageVolumePrivilege	1948	wmic.exe
Token: 33	1948	wmic.exe
Token: 34	1948	wmic.exe
Token: 35	1948	wmic.exe
Token: SeIncreaseQuotaPrivilege	1948	wmic.exe
Token: SeSecurityPrivilege	1948	wmic.exe
Token: SeTakeOwnershipPrivilege	1948	wmic.exe
Token: SeLoadDriverPrivilege	1948	wmic.exe
Token: SeSystemProfilePrivilege	1948	wmic.exe
Token: SeSystemtimePrivilege	1948	wmic.exe
Token: SeProfSingleProcessPrivilege	1948	wmic.exe
Token: SeIncBasePriorityPrivilege	1948	wmic.exe
Token: SeCreatePagefilePrivilege	1948	wmic.exe
Token: SeBackupPrivilege	1948	wmic.exe
Token: SeRestorePrivilege	1948	wmic.exe
Token: SeShutdownPrivilege	1948	wmic.exe
Token: SeDebugPrivilege	1948	wmic.exe
Token: SeSystemEnvironmentPrivilege	1948	wmic.exe
Token: SeRemoteShutdownPrivilege	1948	wmic.exe
Token: SeUndockPrivilege	1948	wmic.exe
Token: SeManageVolumePrivilege	1948	wmic.exe
Token: 33	1948	wmic.exe
Token: 34	1948	wmic.exe
Token: 35	1948	wmic.exe
Token: SeIncreaseQuotaPrivilege	576	WMIC.exe
Token: SeSecurityPrivilege	576	WMIC.exe
Token: SeTakeOwnershipPrivilege	576	WMIC.exe
Token: SeLoadDriverPrivilege	576	WMIC.exe
Token: SeSystemProfilePrivilege	576	WMIC.exe
Token: SeSystemtimePrivilege	576	WMIC.exe
Token: SeProfSingleProcessPrivilege	576	WMIC.exe
Token: SeIncBasePriorityPrivilege	576	WMIC.exe
Token: SeCreatePagefilePrivilege	576	WMIC.exe
Token: SeBackupPrivilege	576	WMIC.exe
Token: SeRestorePrivilege	576	WMIC.exe
Token: SeShutdownPrivilege	576	WMIC.exe
Token: SeDebugPrivilege	576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	576	WMIC.exe
Token: SeRemoteShutdownPrivilege	576	WMIC.exe
Token: SeUndockPrivilege	576	WMIC.exe
Token: SeManageVolumePrivilege	576	WMIC.exe
Token: 33	576	WMIC.exe
Token: 34	576	WMIC.exe
Token: 35	576	WMIC.exe
Token: SeIncreaseQuotaPrivilege	576	WMIC.exe
Token: SeSecurityPrivilege	576	WMIC.exe
Token: SeTakeOwnershipPrivilege	576	WMIC.exe
Token: SeLoadDriverPrivilege	576	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

2297fd847480edf06c8349f11c9a18c4.bin.exeInstallUtil.execmd.execmd.exe

description	pid	process	target process
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1340 wrote to memory of 1772	1340	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1772 wrote to memory of 1948	1772	InstallUtil.exe	wmic.exe
PID 1772 wrote to memory of 1948	1772	InstallUtil.exe	wmic.exe
PID 1772 wrote to memory of 1948	1772	InstallUtil.exe	wmic.exe
PID 1772 wrote to memory of 1948	1772	InstallUtil.exe	wmic.exe
PID 1772 wrote to memory of 568	1772	InstallUtil.exe	cmd.exe
PID 1772 wrote to memory of 568	1772	InstallUtil.exe	cmd.exe
PID 1772 wrote to memory of 568	1772	InstallUtil.exe	cmd.exe
PID 1772 wrote to memory of 568	1772	InstallUtil.exe	cmd.exe
PID 568 wrote to memory of 576	568	cmd.exe	WMIC.exe
PID 568 wrote to memory of 576	568	cmd.exe	WMIC.exe
PID 568 wrote to memory of 576	568	cmd.exe	WMIC.exe
PID 568 wrote to memory of 576	568	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 680	1772	InstallUtil.exe	cmd.exe
PID 1772 wrote to memory of 680	1772	InstallUtil.exe	cmd.exe
PID 1772 wrote to memory of 680	1772	InstallUtil.exe	cmd.exe
PID 1772 wrote to memory of 680	1772	InstallUtil.exe	cmd.exe
PID 680 wrote to memory of 1676	680	cmd.exe	WMIC.exe
PID 680 wrote to memory of 1676	680	cmd.exe	WMIC.exe
PID 680 wrote to memory of 1676	680	cmd.exe	WMIC.exe
PID 680 wrote to memory of 1676	680	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\2297fd847480edf06c8349f11c9a18c4.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2297fd847480edf06c8349f11c9a18c4.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
2beb695add0546f6a18496aae58b2558

SHA1
1fd818202a94825c56ad7a7793bea87c6f02960e

SHA256
132cb7037ada7d8563c5b8cf64796ed22b0fbc1ccefbbbf5faa3c18545b289ed

SHA512
e80fa42ab27afa16e0f6f72639077be7da3e73f7c7b4cecbe0d24637ee76334de77a2b61e7c3afab4e3750e53a93baa68d3cdb9c1eb55fb9a5d580cff94f21f2

Download Submit
memory/1772-54-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/1772-56-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/1772-57-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/1772-58-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/1772-59-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/1772-60-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/1772-61-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/1772-62-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/1772-63-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/1772-95-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing