aurora | 2e5260973969192f9cc166487adb128832e22f2752b176359c51264a6e5d7faa

General

Target

5343b3beaadd15a14319e4b21dc68077.exe
Size

2.4MB
MD5

5343b3beaadd15a14319e4b21dc68077
SHA1

6d8b2b4c9418d882fb10ea958d5e5f281a14396b
SHA256

2e5260973969192f9cc166487adb128832e22f2752b176359c51264a6e5d7faa
SHA512

2ea3cc32b56eff42298772ac90eb26b6de98ec3c3bb183b2c1d8bbcc4c5c68877b32268b80e00ef9d4779a0c30b765f8a8bf345ef45e863b9fc2a04f5c79ab3f
SSDEEP

49152:GAE84ts1AF+Asb9wya6uAdaOebmDhEbhQzfnXIqWur2h7bwKPG9T9s:wwb9wya6uAdKmDhEbufnYVur2qKAs

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

92.119.231.161:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

5343b3beaadd15a14319e4b21dc68077.exe

description pid process target process

PID 336 set thread context of 1436 336 5343b3beaadd15a14319e4b21dc68077.exe 5343b3beaadd15a14319e4b21dc68077.exe

description	pid	process	target process
PID 336 set thread context of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5343b3beaadd15a14319e4b21dc68077.exe

pid	process
336	5343b3beaadd15a14319e4b21dc68077.exe
336	5343b3beaadd15a14319e4b21dc68077.exe
336	5343b3beaadd15a14319e4b21dc68077.exe
336	5343b3beaadd15a14319e4b21dc68077.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5343b3beaadd15a14319e4b21dc68077.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	336	5343b3beaadd15a14319e4b21dc68077.exe
Token: SeIncreaseQuotaPrivilege	3548	wmic.exe
Token: SeSecurityPrivilege	3548	wmic.exe
Token: SeTakeOwnershipPrivilege	3548	wmic.exe
Token: SeLoadDriverPrivilege	3548	wmic.exe
Token: SeSystemProfilePrivilege	3548	wmic.exe
Token: SeSystemtimePrivilege	3548	wmic.exe
Token: SeProfSingleProcessPrivilege	3548	wmic.exe
Token: SeIncBasePriorityPrivilege	3548	wmic.exe
Token: SeCreatePagefilePrivilege	3548	wmic.exe
Token: SeBackupPrivilege	3548	wmic.exe
Token: SeRestorePrivilege	3548	wmic.exe
Token: SeShutdownPrivilege	3548	wmic.exe
Token: SeDebugPrivilege	3548	wmic.exe
Token: SeSystemEnvironmentPrivilege	3548	wmic.exe
Token: SeRemoteShutdownPrivilege	3548	wmic.exe
Token: SeUndockPrivilege	3548	wmic.exe
Token: SeManageVolumePrivilege	3548	wmic.exe
Token: 33	3548	wmic.exe
Token: 34	3548	wmic.exe
Token: 35	3548	wmic.exe
Token: 36	3548	wmic.exe
Token: SeIncreaseQuotaPrivilege	3548	wmic.exe
Token: SeSecurityPrivilege	3548	wmic.exe
Token: SeTakeOwnershipPrivilege	3548	wmic.exe
Token: SeLoadDriverPrivilege	3548	wmic.exe
Token: SeSystemProfilePrivilege	3548	wmic.exe
Token: SeSystemtimePrivilege	3548	wmic.exe
Token: SeProfSingleProcessPrivilege	3548	wmic.exe
Token: SeIncBasePriorityPrivilege	3548	wmic.exe
Token: SeCreatePagefilePrivilege	3548	wmic.exe
Token: SeBackupPrivilege	3548	wmic.exe
Token: SeRestorePrivilege	3548	wmic.exe
Token: SeShutdownPrivilege	3548	wmic.exe
Token: SeDebugPrivilege	3548	wmic.exe
Token: SeSystemEnvironmentPrivilege	3548	wmic.exe
Token: SeRemoteShutdownPrivilege	3548	wmic.exe
Token: SeUndockPrivilege	3548	wmic.exe
Token: SeManageVolumePrivilege	3548	wmic.exe
Token: 33	3548	wmic.exe
Token: 34	3548	wmic.exe
Token: 35	3548	wmic.exe
Token: 36	3548	wmic.exe
Token: SeIncreaseQuotaPrivilege	1236	WMIC.exe
Token: SeSecurityPrivilege	1236	WMIC.exe
Token: SeTakeOwnershipPrivilege	1236	WMIC.exe
Token: SeLoadDriverPrivilege	1236	WMIC.exe
Token: SeSystemProfilePrivilege	1236	WMIC.exe
Token: SeSystemtimePrivilege	1236	WMIC.exe
Token: SeProfSingleProcessPrivilege	1236	WMIC.exe
Token: SeIncBasePriorityPrivilege	1236	WMIC.exe
Token: SeCreatePagefilePrivilege	1236	WMIC.exe
Token: SeBackupPrivilege	1236	WMIC.exe
Token: SeRestorePrivilege	1236	WMIC.exe
Token: SeShutdownPrivilege	1236	WMIC.exe
Token: SeDebugPrivilege	1236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1236	WMIC.exe
Token: SeRemoteShutdownPrivilege	1236	WMIC.exe
Token: SeUndockPrivilege	1236	WMIC.exe
Token: SeManageVolumePrivilege	1236	WMIC.exe
Token: 33	1236	WMIC.exe
Token: 34	1236	WMIC.exe
Token: 35	1236	WMIC.exe
Token: 36	1236	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5343b3beaadd15a14319e4b21dc68077.exe5343b3beaadd15a14319e4b21dc68077.execmd.execmd.exe

description	pid	process	target process
PID 336 wrote to memory of 3632	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 3632	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 3632	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 388	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 388	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 388	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 336 wrote to memory of 1436	336	5343b3beaadd15a14319e4b21dc68077.exe	5343b3beaadd15a14319e4b21dc68077.exe
PID 1436 wrote to memory of 3548	1436	5343b3beaadd15a14319e4b21dc68077.exe	wmic.exe
PID 1436 wrote to memory of 3548	1436	5343b3beaadd15a14319e4b21dc68077.exe	wmic.exe
PID 1436 wrote to memory of 3548	1436	5343b3beaadd15a14319e4b21dc68077.exe	wmic.exe
PID 1436 wrote to memory of 4904	1436	5343b3beaadd15a14319e4b21dc68077.exe	cmd.exe
PID 1436 wrote to memory of 4904	1436	5343b3beaadd15a14319e4b21dc68077.exe	cmd.exe
PID 1436 wrote to memory of 4904	1436	5343b3beaadd15a14319e4b21dc68077.exe	cmd.exe
PID 4904 wrote to memory of 1236	4904	cmd.exe	WMIC.exe
PID 4904 wrote to memory of 1236	4904	cmd.exe	WMIC.exe
PID 4904 wrote to memory of 1236	4904	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 1740	1436	5343b3beaadd15a14319e4b21dc68077.exe	cmd.exe
PID 1436 wrote to memory of 1740	1436	5343b3beaadd15a14319e4b21dc68077.exe	cmd.exe
PID 1436 wrote to memory of 1740	1436	5343b3beaadd15a14319e4b21dc68077.exe	cmd.exe
PID 1740 wrote to memory of 4920	1740	cmd.exe	WMIC.exe
PID 1740 wrote to memory of 4920	1740	cmd.exe	WMIC.exe
PID 1740 wrote to memory of 4920	1740	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5343b3beaadd15a14319e4b21dc68077.exe
"C:\Users\Admin\AppData\Local\Temp\5343b3beaadd15a14319e4b21dc68077.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\5343b3beaadd15a14319e4b21dc68077.exe
"{path}"
2⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\5343b3beaadd15a14319e4b21dc68077.exe
"{path}"
2⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\5343b3beaadd15a14319e4b21dc68077.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
8c7576873886d730d55e52070f35fea0

SHA1
cf8b732cb49dad4e69c8948a6f0b7b87b9b0ccf1

SHA256
06b631bf6ea97d79ea2215efa0323aab64bd1b53283ef8640c2a8fd37cac9caa

SHA512
374dff92bb31dfb74ec66084dcc8764e166f4adc7c57113d813b430e420b8bcc9e1300aae5f4b2ff09ad3d5b152a8240901ed3acfc76c4788d9ad3442cd2db28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
72KB

MD5
5aeeafe26d1e0441647e0b0d7b880c81

SHA1
45a00f65a99d1cec35bd6a21891ac469a86f451c

SHA256
c94d79620e27865ba796be4cbfd98087da8a47f78e07e7220084de05354381dd

SHA512
3e70b065b194f14f1ec2735b6003943b492c29a78e12029ae42574cda7fdc785c24eae0c98fbd9a1167ac938387d78aead68688299e3aaf1971794938ab903c5

Download Submit
memory/336-133-0x0000000000F40000-0x00000000011AC000-memory.dmp

Filesize
2.4MB

Download
memory/336-134-0x0000000006120000-0x00000000066C4000-memory.dmp

Filesize
5.6MB

Download
memory/336-135-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/336-136-0x0000000005CB0000-0x0000000005D4C000-memory.dmp

Filesize
624KB

Download
memory/336-137-0x0000000005B30000-0x0000000005B3A000-memory.dmp

Filesize
40KB

Download
memory/336-138-0x0000000005E20000-0x0000000005E30000-memory.dmp

Filesize
64KB

Download
memory/336-139-0x0000000005E20000-0x0000000005E30000-memory.dmp

Filesize
64KB

Download
memory/1436-145-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1436-144-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1436-146-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1436-147-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1436-148-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1436-149-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1436-150-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1436-143-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1436-140-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1436-203-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1436-204-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads