aurora | 4326de37d417a1630375ac12b7321bbe4deb68b98d0ccf64d46f5c5029c86b73

General

Target

0a5e3621601459473cddfbe8b7bd726e.bin.exe
Size

4.1MB
MD5

0a5e3621601459473cddfbe8b7bd726e
SHA1

5f523a4914d97afc60831c09ae0386ee32dfc168
SHA256

4326de37d417a1630375ac12b7321bbe4deb68b98d0ccf64d46f5c5029c86b73
SHA512

05ec96d03d37be57918d5cf138b6dc082c339cfc266e992d2acde6d1a80e8874f9e1fbcc3b4646e078a39a1bdd17c892c7da06c5799ee59086d976228ae8fa3b
SSDEEP

98304:riau1Bt4TN4vTekNM7k3v7GfdJPonfOmD:eaSI4vikNyk3v0dJAffD

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

82.115.223.135:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

0a5e3621601459473cddfbe8b7bd726e.bin.exe

description pid process target process

PID 1620 set thread context of 5104 1620 0a5e3621601459473cddfbe8b7bd726e.bin.exe InstallUtil.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

208 1620 WerFault.exe 0a5e3621601459473cddfbe8b7bd726e.bin.exe

description	pid	process	target process
PID 1620 set thread context of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe

pid	pid_target	process	target process
208	1620	WerFault.exe	0a5e3621601459473cddfbe8b7bd726e.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5068	wmic.exe
Token: SeSecurityPrivilege	5068	wmic.exe
Token: SeTakeOwnershipPrivilege	5068	wmic.exe
Token: SeLoadDriverPrivilege	5068	wmic.exe
Token: SeSystemProfilePrivilege	5068	wmic.exe
Token: SeSystemtimePrivilege	5068	wmic.exe
Token: SeProfSingleProcessPrivilege	5068	wmic.exe
Token: SeIncBasePriorityPrivilege	5068	wmic.exe
Token: SeCreatePagefilePrivilege	5068	wmic.exe
Token: SeBackupPrivilege	5068	wmic.exe
Token: SeRestorePrivilege	5068	wmic.exe
Token: SeShutdownPrivilege	5068	wmic.exe
Token: SeDebugPrivilege	5068	wmic.exe
Token: SeSystemEnvironmentPrivilege	5068	wmic.exe
Token: SeRemoteShutdownPrivilege	5068	wmic.exe
Token: SeUndockPrivilege	5068	wmic.exe
Token: SeManageVolumePrivilege	5068	wmic.exe
Token: 33	5068	wmic.exe
Token: 34	5068	wmic.exe
Token: 35	5068	wmic.exe
Token: 36	5068	wmic.exe
Token: SeIncreaseQuotaPrivilege	5068	wmic.exe
Token: SeSecurityPrivilege	5068	wmic.exe
Token: SeTakeOwnershipPrivilege	5068	wmic.exe
Token: SeLoadDriverPrivilege	5068	wmic.exe
Token: SeSystemProfilePrivilege	5068	wmic.exe
Token: SeSystemtimePrivilege	5068	wmic.exe
Token: SeProfSingleProcessPrivilege	5068	wmic.exe
Token: SeIncBasePriorityPrivilege	5068	wmic.exe
Token: SeCreatePagefilePrivilege	5068	wmic.exe
Token: SeBackupPrivilege	5068	wmic.exe
Token: SeRestorePrivilege	5068	wmic.exe
Token: SeShutdownPrivilege	5068	wmic.exe
Token: SeDebugPrivilege	5068	wmic.exe
Token: SeSystemEnvironmentPrivilege	5068	wmic.exe
Token: SeRemoteShutdownPrivilege	5068	wmic.exe
Token: SeUndockPrivilege	5068	wmic.exe
Token: SeManageVolumePrivilege	5068	wmic.exe
Token: 33	5068	wmic.exe
Token: 34	5068	wmic.exe
Token: 35	5068	wmic.exe
Token: 36	5068	wmic.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe
Token: SeSecurityPrivilege	752	WMIC.exe
Token: SeTakeOwnershipPrivilege	752	WMIC.exe
Token: SeLoadDriverPrivilege	752	WMIC.exe
Token: SeSystemProfilePrivilege	752	WMIC.exe
Token: SeSystemtimePrivilege	752	WMIC.exe
Token: SeProfSingleProcessPrivilege	752	WMIC.exe
Token: SeIncBasePriorityPrivilege	752	WMIC.exe
Token: SeCreatePagefilePrivilege	752	WMIC.exe
Token: SeBackupPrivilege	752	WMIC.exe
Token: SeRestorePrivilege	752	WMIC.exe
Token: SeShutdownPrivilege	752	WMIC.exe
Token: SeDebugPrivilege	752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	752	WMIC.exe
Token: SeRemoteShutdownPrivilege	752	WMIC.exe
Token: SeUndockPrivilege	752	WMIC.exe
Token: SeManageVolumePrivilege	752	WMIC.exe
Token: 33	752	WMIC.exe
Token: 34	752	WMIC.exe
Token: 35	752	WMIC.exe
Token: 36	752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

0a5e3621601459473cddfbe8b7bd726e.bin.exeInstallUtil.execmd.execmd.exe

description	pid	process	target process
PID 1620 wrote to memory of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 1620 wrote to memory of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 1620 wrote to memory of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 1620 wrote to memory of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 1620 wrote to memory of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 1620 wrote to memory of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 1620 wrote to memory of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 1620 wrote to memory of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 1620 wrote to memory of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 1620 wrote to memory of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 1620 wrote to memory of 5104	1620	0a5e3621601459473cddfbe8b7bd726e.bin.exe	InstallUtil.exe
PID 5104 wrote to memory of 5068	5104	InstallUtil.exe	wmic.exe
PID 5104 wrote to memory of 5068	5104	InstallUtil.exe	wmic.exe
PID 5104 wrote to memory of 5068	5104	InstallUtil.exe	wmic.exe
PID 5104 wrote to memory of 2824	5104	InstallUtil.exe	cmd.exe
PID 5104 wrote to memory of 2824	5104	InstallUtil.exe	cmd.exe
PID 5104 wrote to memory of 2824	5104	InstallUtil.exe	cmd.exe
PID 2824 wrote to memory of 752	2824	cmd.exe	WMIC.exe
PID 2824 wrote to memory of 752	2824	cmd.exe	WMIC.exe
PID 2824 wrote to memory of 752	2824	cmd.exe	WMIC.exe
PID 5104 wrote to memory of 2892	5104	InstallUtil.exe	cmd.exe
PID 5104 wrote to memory of 2892	5104	InstallUtil.exe	cmd.exe
PID 5104 wrote to memory of 2892	5104	InstallUtil.exe	cmd.exe
PID 2892 wrote to memory of 2468	2892	cmd.exe	WMIC.exe
PID 2892 wrote to memory of 2468	2892	cmd.exe	WMIC.exe
PID 2892 wrote to memory of 2468	2892	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\0a5e3621601459473cddfbe8b7bd726e.bin.exe
"C:\Users\Admin\AppData\Local\Temp\0a5e3621601459473cddfbe8b7bd726e.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 500
2⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1620 -ip 1620
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
8c7576873886d730d55e52070f35fea0

SHA1
cf8b732cb49dad4e69c8948a6f0b7b87b9b0ccf1

SHA256
06b631bf6ea97d79ea2215efa0323aab64bd1b53283ef8640c2a8fd37cac9caa

SHA512
374dff92bb31dfb74ec66084dcc8764e166f4adc7c57113d813b430e420b8bcc9e1300aae5f4b2ff09ad3d5b152a8240901ed3acfc76c4788d9ad3442cd2db28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
72KB

MD5
5aeeafe26d1e0441647e0b0d7b880c81

SHA1
45a00f65a99d1cec35bd6a21891ac469a86f451c

SHA256
c94d79620e27865ba796be4cbfd98087da8a47f78e07e7220084de05354381dd

SHA512
3e70b065b194f14f1ec2735b6003943b492c29a78e12029ae42574cda7fdc785c24eae0c98fbd9a1167ac938387d78aead68688299e3aaf1971794938ab903c5

Download Submit
memory/5104-133-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5104-135-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5104-136-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5104-137-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5104-138-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5104-139-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5104-140-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5104-141-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5104-142-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5104-195-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing