aurora | 5e61f677c9d9b6f3d99207aaef0ed7e97b83f7f2bcad9fa6bfe9b448211e3962

General

Target

2297fd847480edf06c8349f11c9a18c4.bin.exe
Size

4.1MB
MD5

2297fd847480edf06c8349f11c9a18c4
SHA1

d8b28b25b698a2a2cab51f62aa314836eb8a9539
SHA256

5e61f677c9d9b6f3d99207aaef0ed7e97b83f7f2bcad9fa6bfe9b448211e3962
SHA512

2e49ff44d4e8d3af5a4993ded4be8e84d7eae238ea57e00abb149c2548890333d787dab38dcf99f8a6e86a9d9df4197fc87a0a3789aab2f4f2bbe6cfdcd4847f
SSDEEP

98304:Py1WKANUQ46n5qt8O2UpxSoovsE+7fyruJHCdd:c7Q4Yqt3bphokE+7fyCJHC

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

45.15.157.130:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

2297fd847480edf06c8349f11c9a18c4.bin.exe

description pid process target process

PID 1400 set thread context of 2396 1400 2297fd847480edf06c8349f11c9a18c4.bin.exe InstallUtil.exe

description	pid	process	target process
PID 1400 set thread context of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3724	wmic.exe
Token: SeSecurityPrivilege	3724	wmic.exe
Token: SeTakeOwnershipPrivilege	3724	wmic.exe
Token: SeLoadDriverPrivilege	3724	wmic.exe
Token: SeSystemProfilePrivilege	3724	wmic.exe
Token: SeSystemtimePrivilege	3724	wmic.exe
Token: SeProfSingleProcessPrivilege	3724	wmic.exe
Token: SeIncBasePriorityPrivilege	3724	wmic.exe
Token: SeCreatePagefilePrivilege	3724	wmic.exe
Token: SeBackupPrivilege	3724	wmic.exe
Token: SeRestorePrivilege	3724	wmic.exe
Token: SeShutdownPrivilege	3724	wmic.exe
Token: SeDebugPrivilege	3724	wmic.exe
Token: SeSystemEnvironmentPrivilege	3724	wmic.exe
Token: SeRemoteShutdownPrivilege	3724	wmic.exe
Token: SeUndockPrivilege	3724	wmic.exe
Token: SeManageVolumePrivilege	3724	wmic.exe
Token: 33	3724	wmic.exe
Token: 34	3724	wmic.exe
Token: 35	3724	wmic.exe
Token: 36	3724	wmic.exe
Token: SeIncreaseQuotaPrivilege	3724	wmic.exe
Token: SeSecurityPrivilege	3724	wmic.exe
Token: SeTakeOwnershipPrivilege	3724	wmic.exe
Token: SeLoadDriverPrivilege	3724	wmic.exe
Token: SeSystemProfilePrivilege	3724	wmic.exe
Token: SeSystemtimePrivilege	3724	wmic.exe
Token: SeProfSingleProcessPrivilege	3724	wmic.exe
Token: SeIncBasePriorityPrivilege	3724	wmic.exe
Token: SeCreatePagefilePrivilege	3724	wmic.exe
Token: SeBackupPrivilege	3724	wmic.exe
Token: SeRestorePrivilege	3724	wmic.exe
Token: SeShutdownPrivilege	3724	wmic.exe
Token: SeDebugPrivilege	3724	wmic.exe
Token: SeSystemEnvironmentPrivilege	3724	wmic.exe
Token: SeRemoteShutdownPrivilege	3724	wmic.exe
Token: SeUndockPrivilege	3724	wmic.exe
Token: SeManageVolumePrivilege	3724	wmic.exe
Token: 33	3724	wmic.exe
Token: 34	3724	wmic.exe
Token: 35	3724	wmic.exe
Token: 36	3724	wmic.exe
Token: SeIncreaseQuotaPrivilege	3512	WMIC.exe
Token: SeSecurityPrivilege	3512	WMIC.exe
Token: SeTakeOwnershipPrivilege	3512	WMIC.exe
Token: SeLoadDriverPrivilege	3512	WMIC.exe
Token: SeSystemProfilePrivilege	3512	WMIC.exe
Token: SeSystemtimePrivilege	3512	WMIC.exe
Token: SeProfSingleProcessPrivilege	3512	WMIC.exe
Token: SeIncBasePriorityPrivilege	3512	WMIC.exe
Token: SeCreatePagefilePrivilege	3512	WMIC.exe
Token: SeBackupPrivilege	3512	WMIC.exe
Token: SeRestorePrivilege	3512	WMIC.exe
Token: SeShutdownPrivilege	3512	WMIC.exe
Token: SeDebugPrivilege	3512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3512	WMIC.exe
Token: SeRemoteShutdownPrivilege	3512	WMIC.exe
Token: SeUndockPrivilege	3512	WMIC.exe
Token: SeManageVolumePrivilege	3512	WMIC.exe
Token: 33	3512	WMIC.exe
Token: 34	3512	WMIC.exe
Token: 35	3512	WMIC.exe
Token: 36	3512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3512	WMIC.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

2297fd847480edf06c8349f11c9a18c4.bin.exeInstallUtil.execmd.execmd.exe

description	pid	process	target process
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 1400 wrote to memory of 2396	1400	2297fd847480edf06c8349f11c9a18c4.bin.exe	InstallUtil.exe
PID 2396 wrote to memory of 3724	2396	InstallUtil.exe	wmic.exe
PID 2396 wrote to memory of 3724	2396	InstallUtil.exe	wmic.exe
PID 2396 wrote to memory of 3724	2396	InstallUtil.exe	wmic.exe
PID 2396 wrote to memory of 2960	2396	InstallUtil.exe	cmd.exe
PID 2396 wrote to memory of 2960	2396	InstallUtil.exe	cmd.exe
PID 2396 wrote to memory of 2960	2396	InstallUtil.exe	cmd.exe
PID 2960 wrote to memory of 3512	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3512	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3512	2960	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 2660	2396	InstallUtil.exe	cmd.exe
PID 2396 wrote to memory of 2660	2396	InstallUtil.exe	cmd.exe
PID 2396 wrote to memory of 2660	2396	InstallUtil.exe	cmd.exe
PID 2660 wrote to memory of 4256	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 4256	2660	cmd.exe	WMIC.exe
PID 2660 wrote to memory of 4256	2660	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\2297fd847480edf06c8349f11c9a18c4.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2297fd847480edf06c8349f11c9a18c4.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
18da5c19d469f921ff9d44f1f17de97b

SHA1
bef606053494e1f516431d40f2aca29cf1deeb20

SHA256
662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0

SHA512
9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit
memory/2396-133-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2396-135-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2396-136-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2396-137-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2396-139-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2396-140-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2396-141-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2396-142-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/2396-195-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing