aurora | c533034c68cf9b7b86b79950c132979106d33b05c2fb01f97b31c831c410f40c

Analysis

max time kernel
134s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-03-2023 15:36

Target

1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe
Size

3.8MB
MD5

1c1ca2ed51b39a0eaf5a1f0938c27213
SHA1

f1398c6185a1e01cab88c9f3d022f6cd43785b8e
SHA256

c533034c68cf9b7b86b79950c132979106d33b05c2fb01f97b31c831c410f40c
SHA512

d7b2b388e2948e2f3e0a2dcf1b098d1e6765ae4d9074eaa8de52da65fc046186087b6426e69a61a6e97aa07662b0918d2ff3bd59214f9d7ceb7d341d6cd4c49a
SSDEEP

49152:e4OuahtPKe0hSRjxv0H0W4Gih7Il3CCJCRhHHcaQlNwQNpJjVRdu:e2rhMj90H27IFCCMNQYQNpvO

Score

10^/10

aurora stealer

Family

aurora

82.115.223.135:8081

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Suspicious use of SetThreadContext 1 IoCs

Processes:

1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe

description pid process target process

PID 1996 set thread context of 1736 1996 1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe InstallUtil.exe

description	pid	process	target process
PID 1996 set thread context of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe

description	pid	process	target process
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe
PID 1996 wrote to memory of 1736	1996	1c1ca2ed51b39a0eaf5a1f0938c27213.bin.exe	InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:1736

memory/1736-54-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1736-56-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1736-58-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1736-57-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1736-59-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1736-60-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1736-61-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1736-62-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download