aurora | 4326de37d417a1630375ac12b7321bbe4deb68b98d0ccf64d46f5c5029c86b73

General

Target

0a5e3621601459473cddfbe8b7bd726e.bin.exe
Size

4.1MB
MD5

0a5e3621601459473cddfbe8b7bd726e
SHA1

5f523a4914d97afc60831c09ae0386ee32dfc168
SHA256

4326de37d417a1630375ac12b7321bbe4deb68b98d0ccf64d46f5c5029c86b73
SHA512

05ec96d03d37be57918d5cf138b6dc082c339cfc266e992d2acde6d1a80e8874f9e1fbcc3b4646e078a39a1bdd17c892c7da06c5799ee59086d976228ae8fa3b
SSDEEP

98304:riau1Bt4TN4vTekNM7k3v7GfdJPonfOmD:eaSI4vikNyk3v0dJAffD

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

82.115.223.135:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

0a5e3621601459473cddfbe8b7bd726e.bin.exe

description pid process target process

PID 924 set thread context of 936 924 0a5e3621601459473cddfbe8b7bd726e.bin.exe InstallUtil.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1212 924 WerFault.exe 0a5e3621601459473cddfbe8b7bd726e.bin.exe

description	pid	process	target process
PID 924 set thread context of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe

pid	pid_target	process	target process
1212	924	WerFault.exe	0a5e3621601459473cddfbe8b7bd726e.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1116	wmic.exe
Token: SeSecurityPrivilege	1116	wmic.exe
Token: SeTakeOwnershipPrivilege	1116	wmic.exe
Token: SeLoadDriverPrivilege	1116	wmic.exe
Token: SeSystemProfilePrivilege	1116	wmic.exe
Token: SeSystemtimePrivilege	1116	wmic.exe
Token: SeProfSingleProcessPrivilege	1116	wmic.exe
Token: SeIncBasePriorityPrivilege	1116	wmic.exe
Token: SeCreatePagefilePrivilege	1116	wmic.exe
Token: SeBackupPrivilege	1116	wmic.exe
Token: SeRestorePrivilege	1116	wmic.exe
Token: SeShutdownPrivilege	1116	wmic.exe
Token: SeDebugPrivilege	1116	wmic.exe
Token: SeSystemEnvironmentPrivilege	1116	wmic.exe
Token: SeRemoteShutdownPrivilege	1116	wmic.exe
Token: SeUndockPrivilege	1116	wmic.exe
Token: SeManageVolumePrivilege	1116	wmic.exe
Token: 33	1116	wmic.exe
Token: 34	1116	wmic.exe
Token: 35	1116	wmic.exe
Token: SeIncreaseQuotaPrivilege	1116	wmic.exe
Token: SeSecurityPrivilege	1116	wmic.exe
Token: SeTakeOwnershipPrivilege	1116	wmic.exe
Token: SeLoadDriverPrivilege	1116	wmic.exe
Token: SeSystemProfilePrivilege	1116	wmic.exe
Token: SeSystemtimePrivilege	1116	wmic.exe
Token: SeProfSingleProcessPrivilege	1116	wmic.exe
Token: SeIncBasePriorityPrivilege	1116	wmic.exe
Token: SeCreatePagefilePrivilege	1116	wmic.exe
Token: SeBackupPrivilege	1116	wmic.exe
Token: SeRestorePrivilege	1116	wmic.exe
Token: SeShutdownPrivilege	1116	wmic.exe
Token: SeDebugPrivilege	1116	wmic.exe
Token: SeSystemEnvironmentPrivilege	1116	wmic.exe
Token: SeRemoteShutdownPrivilege	1116	wmic.exe
Token: SeUndockPrivilege	1116	wmic.exe
Token: SeManageVolumePrivilege	1116	wmic.exe
Token: 33	1116	wmic.exe
Token: 34	1116	wmic.exe
Token: 35	1116	wmic.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeSecurityPrivilege	1780	WMIC.exe
Token: SeTakeOwnershipPrivilege	1780	WMIC.exe
Token: SeLoadDriverPrivilege	1780	WMIC.exe
Token: SeSystemProfilePrivilege	1780	WMIC.exe
Token: SeSystemtimePrivilege	1780	WMIC.exe
Token: SeProfSingleProcessPrivilege	1780	WMIC.exe
Token: SeIncBasePriorityPrivilege	1780	WMIC.exe
Token: SeCreatePagefilePrivilege	1780	WMIC.exe
Token: SeBackupPrivilege	1780	WMIC.exe
Token: SeRestorePrivilege	1780	WMIC.exe
Token: SeShutdownPrivilege	1780	WMIC.exe
Token: SeDebugPrivilege	1780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1780	WMIC.exe
Token: SeRemoteShutdownPrivilege	1780	WMIC.exe
Token: SeUndockPrivilege	1780	WMIC.exe
Token: SeManageVolumePrivilege	1780	WMIC.exe
Token: 33	1780	WMIC.exe
Token: 34	1780	WMIC.exe
Token: 35	1780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeSecurityPrivilege	1780	WMIC.exe
Token: SeTakeOwnershipPrivilege	1780	WMIC.exe
Token: SeLoadDriverPrivilege	1780	WMIC.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

0a5e3621601459473cddfbe8b7bd726e.bin.exeInstallUtil.execmd.execmd.exe

description	pid	process	target process
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 936	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 924 wrote to memory of 1212	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	WerFault.exe
PID 924 wrote to memory of 1212	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	WerFault.exe
PID 924 wrote to memory of 1212	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	WerFault.exe
PID 924 wrote to memory of 1212	924	0a5e3621601459473cddfbe8b7bd726e.bin.exe	WerFault.exe
PID 936 wrote to memory of 1116	936	InstallUtil.exe	wmic.exe
PID 936 wrote to memory of 1116	936	InstallUtil.exe	wmic.exe
PID 936 wrote to memory of 1116	936	InstallUtil.exe	wmic.exe
PID 936 wrote to memory of 1116	936	InstallUtil.exe	wmic.exe
PID 936 wrote to memory of 1828	936	InstallUtil.exe	cmd.exe
PID 936 wrote to memory of 1828	936	InstallUtil.exe	cmd.exe
PID 936 wrote to memory of 1828	936	InstallUtil.exe	cmd.exe
PID 936 wrote to memory of 1828	936	InstallUtil.exe	cmd.exe
PID 1828 wrote to memory of 1780	1828	cmd.exe	WMIC.exe
PID 1828 wrote to memory of 1780	1828	cmd.exe	WMIC.exe
PID 1828 wrote to memory of 1780	1828	cmd.exe	WMIC.exe
PID 1828 wrote to memory of 1780	1828	cmd.exe	WMIC.exe
PID 936 wrote to memory of 1556	936	InstallUtil.exe	cmd.exe
PID 936 wrote to memory of 1556	936	InstallUtil.exe	cmd.exe
PID 936 wrote to memory of 1556	936	InstallUtil.exe	cmd.exe
PID 936 wrote to memory of 1556	936	InstallUtil.exe	cmd.exe
PID 1556 wrote to memory of 1088	1556	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 1088	1556	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 1088	1556	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 1088	1556	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\0a5e3621601459473cddfbe8b7bd726e.bin.exe
"C:\Users\Admin\AppData\Local\Temp\0a5e3621601459473cddfbe8b7bd726e.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 120
2⤵
- Program crash
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
e5e81f0ae5ba9a2ac3db0a17d3c9f810

SHA1
c2d6bdf002325094ff399b1e4c36df575b48ee4f

SHA256
a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

SHA512
cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

Download Submit
memory/936-54-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/936-56-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/936-57-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/936-58-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/936-59-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/936-60-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/936-61-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/936-62-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/936-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing