aurora | b7318a38055034579cfb6799fd2cb264a6ef1a9f5d6952970474e4139374ef73

General

Target

4a39e396ddbd9c7116858b6f96a06eb2.exe
Size

1.4MB
MD5

4a39e396ddbd9c7116858b6f96a06eb2
SHA1

53d51d7c43f6af46f720025eafbf346586bfae09
SHA256

b7318a38055034579cfb6799fd2cb264a6ef1a9f5d6952970474e4139374ef73
SHA512

03984f76e2050464bc6e9269d8c488a3f7d38bdda22ced6fdcb0c43522eec1248b00772cc8510944b4856185b40883a64537fa81d7ce73e55f4271fc726dcf37
SSDEEP

24576:mFsLW3eGfYYrd+z9tEdnJkQ8D9rgf2UhxVgnj20E+3b+sC5E2B7K1X42tdYyTr6i:BLWuMrpP8D98XYqY36sCFK1I2tqu2T47

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.34:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	904	wmic.exe
Token: SeSecurityPrivilege	904	wmic.exe
Token: SeTakeOwnershipPrivilege	904	wmic.exe
Token: SeLoadDriverPrivilege	904	wmic.exe
Token: SeSystemProfilePrivilege	904	wmic.exe
Token: SeSystemtimePrivilege	904	wmic.exe
Token: SeProfSingleProcessPrivilege	904	wmic.exe
Token: SeIncBasePriorityPrivilege	904	wmic.exe
Token: SeCreatePagefilePrivilege	904	wmic.exe
Token: SeBackupPrivilege	904	wmic.exe
Token: SeRestorePrivilege	904	wmic.exe
Token: SeShutdownPrivilege	904	wmic.exe
Token: SeDebugPrivilege	904	wmic.exe
Token: SeSystemEnvironmentPrivilege	904	wmic.exe
Token: SeRemoteShutdownPrivilege	904	wmic.exe
Token: SeUndockPrivilege	904	wmic.exe
Token: SeManageVolumePrivilege	904	wmic.exe
Token: 33	904	wmic.exe
Token: 34	904	wmic.exe
Token: 35	904	wmic.exe
Token: SeIncreaseQuotaPrivilege	904	wmic.exe
Token: SeSecurityPrivilege	904	wmic.exe
Token: SeTakeOwnershipPrivilege	904	wmic.exe
Token: SeLoadDriverPrivilege	904	wmic.exe
Token: SeSystemProfilePrivilege	904	wmic.exe
Token: SeSystemtimePrivilege	904	wmic.exe
Token: SeProfSingleProcessPrivilege	904	wmic.exe
Token: SeIncBasePriorityPrivilege	904	wmic.exe
Token: SeCreatePagefilePrivilege	904	wmic.exe
Token: SeBackupPrivilege	904	wmic.exe
Token: SeRestorePrivilege	904	wmic.exe
Token: SeShutdownPrivilege	904	wmic.exe
Token: SeDebugPrivilege	904	wmic.exe
Token: SeSystemEnvironmentPrivilege	904	wmic.exe
Token: SeRemoteShutdownPrivilege	904	wmic.exe
Token: SeUndockPrivilege	904	wmic.exe
Token: SeManageVolumePrivilege	904	wmic.exe
Token: 33	904	wmic.exe
Token: 34	904	wmic.exe
Token: 35	904	wmic.exe
Token: SeIncreaseQuotaPrivilege	880	WMIC.exe
Token: SeSecurityPrivilege	880	WMIC.exe
Token: SeTakeOwnershipPrivilege	880	WMIC.exe
Token: SeLoadDriverPrivilege	880	WMIC.exe
Token: SeSystemProfilePrivilege	880	WMIC.exe
Token: SeSystemtimePrivilege	880	WMIC.exe
Token: SeProfSingleProcessPrivilege	880	WMIC.exe
Token: SeIncBasePriorityPrivilege	880	WMIC.exe
Token: SeCreatePagefilePrivilege	880	WMIC.exe
Token: SeBackupPrivilege	880	WMIC.exe
Token: SeRestorePrivilege	880	WMIC.exe
Token: SeShutdownPrivilege	880	WMIC.exe
Token: SeDebugPrivilege	880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	880	WMIC.exe
Token: SeRemoteShutdownPrivilege	880	WMIC.exe
Token: SeUndockPrivilege	880	WMIC.exe
Token: SeManageVolumePrivilege	880	WMIC.exe
Token: 33	880	WMIC.exe
Token: 34	880	WMIC.exe
Token: 35	880	WMIC.exe
Token: SeIncreaseQuotaPrivilege	880	WMIC.exe
Token: SeSecurityPrivilege	880	WMIC.exe
Token: SeTakeOwnershipPrivilege	880	WMIC.exe
Token: SeLoadDriverPrivilege	880	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4a39e396ddbd9c7116858b6f96a06eb2.execmd.execmd.exe

description	pid	process	target process
PID 1336 wrote to memory of 904	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	wmic.exe
PID 1336 wrote to memory of 904	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	wmic.exe
PID 1336 wrote to memory of 904	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	wmic.exe
PID 1336 wrote to memory of 904	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	wmic.exe
PID 1336 wrote to memory of 1704	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 1336 wrote to memory of 1704	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 1336 wrote to memory of 1704	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 1336 wrote to memory of 1704	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 1704 wrote to memory of 880	1704	cmd.exe	WMIC.exe
PID 1704 wrote to memory of 880	1704	cmd.exe	WMIC.exe
PID 1704 wrote to memory of 880	1704	cmd.exe	WMIC.exe
PID 1704 wrote to memory of 880	1704	cmd.exe	WMIC.exe
PID 1336 wrote to memory of 932	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 1336 wrote to memory of 932	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 1336 wrote to memory of 932	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 1336 wrote to memory of 932	1336	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 932 wrote to memory of 1868	932	cmd.exe	WMIC.exe
PID 932 wrote to memory of 1868	932	cmd.exe	WMIC.exe
PID 932 wrote to memory of 1868	932	cmd.exe	WMIC.exe
PID 932 wrote to memory of 1868	932	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\4a39e396ddbd9c7116858b6f96a06eb2.exe
"C:\Users\Admin\AppData\Local\Temp\4a39e396ddbd9c7116858b6f96a06eb2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
e5e23f78017d1e6eddfc8480e1679ee4

SHA1
0667bd1b7129b105bd2c66ef6ad54c9648aec072

SHA256
4fed2f4c33a3876390d8520f184062927aca8e0ce3538127de3a2f66ea856d91

SHA512
b1260e7ba7ad6d5dd0daeabc5f7cc1fc7a2e9259092f8d70d3d9eed923ed8aa60adcce4c27e9cb20966d500ed59edaaba9570f01d6a84180f1fb83e7b5c20049

Download Submit
memory/1336-54-0x00000000021B0000-0x00000000022FA000-memory.dmp

Filesize
1.3MB

Download
memory/1336-55-0x0000000002300000-0x00000000025FF000-memory.dmp

Filesize
3.0MB

Download
memory/1336-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1336-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing