aurora | 459a3e9ef30e59ff28934170719d805ee5f05c44d8bd61f4fd8ed1e70047aa1c

General

Target

6a1d6f9f0d9f038b6bc64ee8d383143d.exe
Size

8.1MB
MD5

6a1d6f9f0d9f038b6bc64ee8d383143d
SHA1

5681bfc4587c40695e99daec0c75bef7946627c8
SHA256

459a3e9ef30e59ff28934170719d805ee5f05c44d8bd61f4fd8ed1e70047aa1c
SHA512

b640bbf2e72cacb73c97ed9ab3848d236e46909395f41b7ca77bfb796a12e3ba193d976aaf4f28cb373528297fbd8e30fa644e2377d7797e00cd1dce0a67b1c1
SSDEEP

98304:SdjxunlgScTvilUJQ38e8dR2SfX6IODGfL112bfaTl:SdjxClgSc7ilieK9X6I4GBAbfwl

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

45.84.1.87:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

6a1d6f9f0d9f038b6bc64ee8d383143d.exe

description pid process target process

PID 1348 set thread context of 332 1348 6a1d6f9f0d9f038b6bc64ee8d383143d.exe InstallUtil.exe

description	pid	process	target process
PID 1348 set thread context of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6a1d6f9f0d9f038b6bc64ee8d383143d.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe
Token: SeIncreaseQuotaPrivilege	568	wmic.exe
Token: SeSecurityPrivilege	568	wmic.exe
Token: SeTakeOwnershipPrivilege	568	wmic.exe
Token: SeLoadDriverPrivilege	568	wmic.exe
Token: SeSystemProfilePrivilege	568	wmic.exe
Token: SeSystemtimePrivilege	568	wmic.exe
Token: SeProfSingleProcessPrivilege	568	wmic.exe
Token: SeIncBasePriorityPrivilege	568	wmic.exe
Token: SeCreatePagefilePrivilege	568	wmic.exe
Token: SeBackupPrivilege	568	wmic.exe
Token: SeRestorePrivilege	568	wmic.exe
Token: SeShutdownPrivilege	568	wmic.exe
Token: SeDebugPrivilege	568	wmic.exe
Token: SeSystemEnvironmentPrivilege	568	wmic.exe
Token: SeRemoteShutdownPrivilege	568	wmic.exe
Token: SeUndockPrivilege	568	wmic.exe
Token: SeManageVolumePrivilege	568	wmic.exe
Token: 33	568	wmic.exe
Token: 34	568	wmic.exe
Token: 35	568	wmic.exe
Token: SeIncreaseQuotaPrivilege	568	wmic.exe
Token: SeSecurityPrivilege	568	wmic.exe
Token: SeTakeOwnershipPrivilege	568	wmic.exe
Token: SeLoadDriverPrivilege	568	wmic.exe
Token: SeSystemProfilePrivilege	568	wmic.exe
Token: SeSystemtimePrivilege	568	wmic.exe
Token: SeProfSingleProcessPrivilege	568	wmic.exe
Token: SeIncBasePriorityPrivilege	568	wmic.exe
Token: SeCreatePagefilePrivilege	568	wmic.exe
Token: SeBackupPrivilege	568	wmic.exe
Token: SeRestorePrivilege	568	wmic.exe
Token: SeShutdownPrivilege	568	wmic.exe
Token: SeDebugPrivilege	568	wmic.exe
Token: SeSystemEnvironmentPrivilege	568	wmic.exe
Token: SeRemoteShutdownPrivilege	568	wmic.exe
Token: SeUndockPrivilege	568	wmic.exe
Token: SeManageVolumePrivilege	568	wmic.exe
Token: 33	568	wmic.exe
Token: 34	568	wmic.exe
Token: 35	568	wmic.exe
Token: SeIncreaseQuotaPrivilege	836	WMIC.exe
Token: SeSecurityPrivilege	836	WMIC.exe
Token: SeTakeOwnershipPrivilege	836	WMIC.exe
Token: SeLoadDriverPrivilege	836	WMIC.exe
Token: SeSystemProfilePrivilege	836	WMIC.exe
Token: SeSystemtimePrivilege	836	WMIC.exe
Token: SeProfSingleProcessPrivilege	836	WMIC.exe
Token: SeIncBasePriorityPrivilege	836	WMIC.exe
Token: SeCreatePagefilePrivilege	836	WMIC.exe
Token: SeBackupPrivilege	836	WMIC.exe
Token: SeRestorePrivilege	836	WMIC.exe
Token: SeShutdownPrivilege	836	WMIC.exe
Token: SeDebugPrivilege	836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	836	WMIC.exe
Token: SeRemoteShutdownPrivilege	836	WMIC.exe
Token: SeUndockPrivilege	836	WMIC.exe
Token: SeManageVolumePrivilege	836	WMIC.exe
Token: 33	836	WMIC.exe
Token: 34	836	WMIC.exe
Token: 35	836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	836	WMIC.exe
Token: SeSecurityPrivilege	836	WMIC.exe
Token: SeTakeOwnershipPrivilege	836	WMIC.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

6a1d6f9f0d9f038b6bc64ee8d383143d.exeInstallUtil.execmd.execmd.exe

description	pid	process	target process
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1348 wrote to memory of 332	1348	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 332 wrote to memory of 568	332	InstallUtil.exe	wmic.exe
PID 332 wrote to memory of 568	332	InstallUtil.exe	wmic.exe
PID 332 wrote to memory of 568	332	InstallUtil.exe	wmic.exe
PID 332 wrote to memory of 568	332	InstallUtil.exe	wmic.exe
PID 332 wrote to memory of 608	332	InstallUtil.exe	cmd.exe
PID 332 wrote to memory of 608	332	InstallUtil.exe	cmd.exe
PID 332 wrote to memory of 608	332	InstallUtil.exe	cmd.exe
PID 332 wrote to memory of 608	332	InstallUtil.exe	cmd.exe
PID 608 wrote to memory of 836	608	cmd.exe	WMIC.exe
PID 608 wrote to memory of 836	608	cmd.exe	WMIC.exe
PID 608 wrote to memory of 836	608	cmd.exe	WMIC.exe
PID 608 wrote to memory of 836	608	cmd.exe	WMIC.exe
PID 332 wrote to memory of 1412	332	InstallUtil.exe	cmd.exe
PID 332 wrote to memory of 1412	332	InstallUtil.exe	cmd.exe
PID 332 wrote to memory of 1412	332	InstallUtil.exe	cmd.exe
PID 332 wrote to memory of 1412	332	InstallUtil.exe	cmd.exe
PID 1412 wrote to memory of 1884	1412	cmd.exe	WMIC.exe
PID 1412 wrote to memory of 1884	1412	cmd.exe	WMIC.exe
PID 1412 wrote to memory of 1884	1412	cmd.exe	WMIC.exe
PID 1412 wrote to memory of 1884	1412	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\6a1d6f9f0d9f038b6bc64ee8d383143d.exe
"C:\Users\Admin\AppData\Local\Temp\6a1d6f9f0d9f038b6bc64ee8d383143d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:608
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "wmic cpu get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

Filesize
71KB

MD5
6a3c2fe239e67cd5804a699b9aa54b07

SHA1
018091f0c903173dec18cd10e0e00889f0717d67

SHA256
160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168

SHA512
aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37

Download Submit
memory/332-64-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-72-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-66-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-58-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-59-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-60-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-61-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-62-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-68-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/332-107-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-63-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-69-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-70-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-71-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/332-73-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1348-56-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1348-57-0x000000001BB70000-0x000000001BE3C000-memory.dmp

Filesize
2.8MB

Download
memory/1348-55-0x00000000009E0000-0x0000000000A60000-memory.dmp

Filesize
512KB

Download
memory/1348-54-0x0000000001360000-0x0000000001B7A000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing