aurora | b7318a38055034579cfb6799fd2cb264a6ef1a9f5d6952970474e4139374ef73

General

Target

4a39e396ddbd9c7116858b6f96a06eb2.exe
Size

1.4MB
MD5

4a39e396ddbd9c7116858b6f96a06eb2
SHA1

53d51d7c43f6af46f720025eafbf346586bfae09
SHA256

b7318a38055034579cfb6799fd2cb264a6ef1a9f5d6952970474e4139374ef73
SHA512

03984f76e2050464bc6e9269d8c488a3f7d38bdda22ced6fdcb0c43522eec1248b00772cc8510944b4856185b40883a64537fa81d7ce73e55f4271fc726dcf37
SSDEEP

24576:mFsLW3eGfYYrd+z9tEdnJkQ8D9rgf2UhxVgnj20E+3b+sC5E2B7K1X42tdYyTr6i:BLWuMrpP8D98XYqY36sCFK1I2tqu2T47

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.34:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1508 2000 WerFault.exe 4a39e396ddbd9c7116858b6f96a06eb2.exe

pid	pid_target	process	target process
1508	2000	WerFault.exe	4a39e396ddbd9c7116858b6f96a06eb2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3372	wmic.exe
Token: SeSecurityPrivilege	3372	wmic.exe
Token: SeTakeOwnershipPrivilege	3372	wmic.exe
Token: SeLoadDriverPrivilege	3372	wmic.exe
Token: SeSystemProfilePrivilege	3372	wmic.exe
Token: SeSystemtimePrivilege	3372	wmic.exe
Token: SeProfSingleProcessPrivilege	3372	wmic.exe
Token: SeIncBasePriorityPrivilege	3372	wmic.exe
Token: SeCreatePagefilePrivilege	3372	wmic.exe
Token: SeBackupPrivilege	3372	wmic.exe
Token: SeRestorePrivilege	3372	wmic.exe
Token: SeShutdownPrivilege	3372	wmic.exe
Token: SeDebugPrivilege	3372	wmic.exe
Token: SeSystemEnvironmentPrivilege	3372	wmic.exe
Token: SeRemoteShutdownPrivilege	3372	wmic.exe
Token: SeUndockPrivilege	3372	wmic.exe
Token: SeManageVolumePrivilege	3372	wmic.exe
Token: 33	3372	wmic.exe
Token: 34	3372	wmic.exe
Token: 35	3372	wmic.exe
Token: 36	3372	wmic.exe
Token: SeIncreaseQuotaPrivilege	3372	wmic.exe
Token: SeSecurityPrivilege	3372	wmic.exe
Token: SeTakeOwnershipPrivilege	3372	wmic.exe
Token: SeLoadDriverPrivilege	3372	wmic.exe
Token: SeSystemProfilePrivilege	3372	wmic.exe
Token: SeSystemtimePrivilege	3372	wmic.exe
Token: SeProfSingleProcessPrivilege	3372	wmic.exe
Token: SeIncBasePriorityPrivilege	3372	wmic.exe
Token: SeCreatePagefilePrivilege	3372	wmic.exe
Token: SeBackupPrivilege	3372	wmic.exe
Token: SeRestorePrivilege	3372	wmic.exe
Token: SeShutdownPrivilege	3372	wmic.exe
Token: SeDebugPrivilege	3372	wmic.exe
Token: SeSystemEnvironmentPrivilege	3372	wmic.exe
Token: SeRemoteShutdownPrivilege	3372	wmic.exe
Token: SeUndockPrivilege	3372	wmic.exe
Token: SeManageVolumePrivilege	3372	wmic.exe
Token: 33	3372	wmic.exe
Token: 34	3372	wmic.exe
Token: 35	3372	wmic.exe
Token: 36	3372	wmic.exe
Token: SeIncreaseQuotaPrivilege	4924	WMIC.exe
Token: SeSecurityPrivilege	4924	WMIC.exe
Token: SeTakeOwnershipPrivilege	4924	WMIC.exe
Token: SeLoadDriverPrivilege	4924	WMIC.exe
Token: SeSystemProfilePrivilege	4924	WMIC.exe
Token: SeSystemtimePrivilege	4924	WMIC.exe
Token: SeProfSingleProcessPrivilege	4924	WMIC.exe
Token: SeIncBasePriorityPrivilege	4924	WMIC.exe
Token: SeCreatePagefilePrivilege	4924	WMIC.exe
Token: SeBackupPrivilege	4924	WMIC.exe
Token: SeRestorePrivilege	4924	WMIC.exe
Token: SeShutdownPrivilege	4924	WMIC.exe
Token: SeDebugPrivilege	4924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4924	WMIC.exe
Token: SeRemoteShutdownPrivilege	4924	WMIC.exe
Token: SeUndockPrivilege	4924	WMIC.exe
Token: SeManageVolumePrivilege	4924	WMIC.exe
Token: 33	4924	WMIC.exe
Token: 34	4924	WMIC.exe
Token: 35	4924	WMIC.exe
Token: 36	4924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4924	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4a39e396ddbd9c7116858b6f96a06eb2.execmd.execmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 3372	2000	4a39e396ddbd9c7116858b6f96a06eb2.exe	wmic.exe
PID 2000 wrote to memory of 3372	2000	4a39e396ddbd9c7116858b6f96a06eb2.exe	wmic.exe
PID 2000 wrote to memory of 3372	2000	4a39e396ddbd9c7116858b6f96a06eb2.exe	wmic.exe
PID 2000 wrote to memory of 3472	2000	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 2000 wrote to memory of 3472	2000	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 2000 wrote to memory of 3472	2000	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 3472 wrote to memory of 4924	3472	cmd.exe	WMIC.exe
PID 3472 wrote to memory of 4924	3472	cmd.exe	WMIC.exe
PID 3472 wrote to memory of 4924	3472	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1696	2000	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 2000 wrote to memory of 1696	2000	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 2000 wrote to memory of 1696	2000	4a39e396ddbd9c7116858b6f96a06eb2.exe	cmd.exe
PID 1696 wrote to memory of 4988	1696	cmd.exe	WMIC.exe
PID 1696 wrote to memory of 4988	1696	cmd.exe	WMIC.exe
PID 1696 wrote to memory of 4988	1696	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\4a39e396ddbd9c7116858b6f96a06eb2.exe
"C:\Users\Admin\AppData\Local\Temp\4a39e396ddbd9c7116858b6f96a06eb2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 740
2⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2000 -ip 2000
1⤵
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
dce9b749d38fdc247ab517e8a76e6102

SHA1
d6c5b6548e1a3da3326bd097c50c49fc7906be3f

SHA256
5087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7

SHA512
56c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
92d24961d2ebaacf1ace5463dfc9930d

SHA1
99ffaf6904ab616c33a37ce01d383e4a493df335

SHA256
9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3

SHA512
77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7

Download Submit
memory/2000-134-0x00000000024D0000-0x00000000027CF000-memory.dmp

Filesize
3.0MB

Download
memory/2000-187-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing