General
-
Target
C4Loader.exe
-
Size
1.1MB
-
Sample
230311-j5kh6sgh95
-
MD5
39ce2b13bacdce1889b3ac7addcd471b
-
SHA1
5f75e695bbdca7994d62fe8aa4b3c5cd121bfc23
-
SHA256
104210a3f5ffe91ed31b25eaa45a7cad6aaaa01e54b4e24ae10d9c86d0c91a42
-
SHA512
26ca64c01b3847f744bca32c608d4a4f379f045f8e3db5becd0c35b80d34366e15aa9cb901c533b84a1910ca21f05c63655c0b955a810b1c34d8877284ddd889
-
SSDEEP
3072:ZwiwPz+huH7liXb6QF45A6Nmn0+Q/ycdIwYioOAg0FujDgtNs1bDew:CiEoX2Qm5A10+QacpDAOIs1bDew
Malware Config
Extracted
aurora
107.182.129.73:8081
Targets
-
-
Target
C4Loader.exe
-
Size
1.1MB
-
MD5
39ce2b13bacdce1889b3ac7addcd471b
-
SHA1
5f75e695bbdca7994d62fe8aa4b3c5cd121bfc23
-
SHA256
104210a3f5ffe91ed31b25eaa45a7cad6aaaa01e54b4e24ae10d9c86d0c91a42
-
SHA512
26ca64c01b3847f744bca32c608d4a4f379f045f8e3db5becd0c35b80d34366e15aa9cb901c533b84a1910ca21f05c63655c0b955a810b1c34d8877284ddd889
-
SSDEEP
3072:ZwiwPz+huH7liXb6QF45A6Nmn0+Q/ycdIwYioOAg0FujDgtNs1bDew:CiEoX2Qm5A10+QacpDAOIs1bDew
Score10/10-
Aurora
Aurora is a crypto wallet stealer written in Golang.
-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-