Overview

overview

10

Static

static

1

C4Loader.exe

windows7-x64

10

C4Loader.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C4Loader.rar

  • Size

    130KB

  • Sample

    230310-1pxl8sfd83

  • MD5

    931ddbdafed0212e3b1da2460907950c

  • SHA1

    57d23f7f836befc775cc3f790115b65a503d158a

  • SHA256

    c4d92f2b4fe82c7eca69558a5e62e270e0486ce0fcffe51aa72ed2ed104cb7e8

  • SHA512

    a8e9cf280ebf4070f3d7133c9eb63929da81e98de8fc2be0b90e0d1e58204406b4cbe7b6a92a99e5417434d39f3fc2b791bc4a749989d0c4955f6346cf5f8c4d

  • SSDEEP

    3072:krhy/OohnJqAvej6Svh6m2aBg6gwFTbFwLyTh2ShCCpqC:ihMhnUj6SMyBg6gwH80hI4

Score
10/10
auroraevasionspywarestealer

Malware Config

Extracted

Family

aurora

C2

107.182.129.73:8081

Targets

    • Target

      C4Loader.exe

    • Size

      687.8MB

    • MD5

      66a41bcddbef0ad226adda334fc38ae6

    • SHA1

      3128d77a2d71d1fc520d302f2d6a12f0c3c47a09

    • SHA256

      36f02f949c036b047e57b6319d246805a710ad119850988c70b7de96b139658a

    • SHA512

      541fcd5bf78329a2ccf2ad722b63bcc749bc357911bcd1a15748774a054713096906835245486e85a4766a6960a4da0cb203cdf22e0a37471745c1a4d17b5dea

    • SSDEEP

      3072:ZwiwPz+huH7liXb6QF45A6Nmn0+Q/ycdIwYioOAg0FujDgtNs1bDew:CiEoX2Qm5A10+QacpDAOIs1bDew

    Score
    10/10
    auroraevasionstealerspyware

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Modifies security service

      evasion

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Impair Defenses

1
T1562

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks