aurora | 459a3e9ef30e59ff28934170719d805ee5f05c44d8bd61f4fd8ed1e70047aa1c

General

Target

6a1d6f9f0d9f038b6bc64ee8d383143d.exe
Size

8.1MB
MD5

6a1d6f9f0d9f038b6bc64ee8d383143d
SHA1

5681bfc4587c40695e99daec0c75bef7946627c8
SHA256

459a3e9ef30e59ff28934170719d805ee5f05c44d8bd61f4fd8ed1e70047aa1c
SHA512

b640bbf2e72cacb73c97ed9ab3848d236e46909395f41b7ca77bfb796a12e3ba193d976aaf4f28cb373528297fbd8e30fa644e2377d7797e00cd1dce0a67b1c1
SSDEEP

98304:SdjxunlgScTvilUJQ38e8dR2SfX6IODGfL112bfaTl:SdjxClgSc7ilieK9X6I4GBAbfwl

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

45.84.1.87:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

6a1d6f9f0d9f038b6bc64ee8d383143d.exe

description pid process target process

PID 4436 set thread context of 1788 4436 6a1d6f9f0d9f038b6bc64ee8d383143d.exe InstallUtil.exe

description	pid	process	target process
PID 4436 set thread context of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6a1d6f9f0d9f038b6bc64ee8d383143d.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe
Token: SeIncreaseQuotaPrivilege	2288	wmic.exe
Token: SeSecurityPrivilege	2288	wmic.exe
Token: SeTakeOwnershipPrivilege	2288	wmic.exe
Token: SeLoadDriverPrivilege	2288	wmic.exe
Token: SeSystemProfilePrivilege	2288	wmic.exe
Token: SeSystemtimePrivilege	2288	wmic.exe
Token: SeProfSingleProcessPrivilege	2288	wmic.exe
Token: SeIncBasePriorityPrivilege	2288	wmic.exe
Token: SeCreatePagefilePrivilege	2288	wmic.exe
Token: SeBackupPrivilege	2288	wmic.exe
Token: SeRestorePrivilege	2288	wmic.exe
Token: SeShutdownPrivilege	2288	wmic.exe
Token: SeDebugPrivilege	2288	wmic.exe
Token: SeSystemEnvironmentPrivilege	2288	wmic.exe
Token: SeRemoteShutdownPrivilege	2288	wmic.exe
Token: SeUndockPrivilege	2288	wmic.exe
Token: SeManageVolumePrivilege	2288	wmic.exe
Token: 33	2288	wmic.exe
Token: 34	2288	wmic.exe
Token: 35	2288	wmic.exe
Token: 36	2288	wmic.exe
Token: SeIncreaseQuotaPrivilege	2288	wmic.exe
Token: SeSecurityPrivilege	2288	wmic.exe
Token: SeTakeOwnershipPrivilege	2288	wmic.exe
Token: SeLoadDriverPrivilege	2288	wmic.exe
Token: SeSystemProfilePrivilege	2288	wmic.exe
Token: SeSystemtimePrivilege	2288	wmic.exe
Token: SeProfSingleProcessPrivilege	2288	wmic.exe
Token: SeIncBasePriorityPrivilege	2288	wmic.exe
Token: SeCreatePagefilePrivilege	2288	wmic.exe
Token: SeBackupPrivilege	2288	wmic.exe
Token: SeRestorePrivilege	2288	wmic.exe
Token: SeShutdownPrivilege	2288	wmic.exe
Token: SeDebugPrivilege	2288	wmic.exe
Token: SeSystemEnvironmentPrivilege	2288	wmic.exe
Token: SeRemoteShutdownPrivilege	2288	wmic.exe
Token: SeUndockPrivilege	2288	wmic.exe
Token: SeManageVolumePrivilege	2288	wmic.exe
Token: 33	2288	wmic.exe
Token: 34	2288	wmic.exe
Token: 35	2288	wmic.exe
Token: 36	2288	wmic.exe
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe
Token: SeSecurityPrivilege	4536	WMIC.exe
Token: SeTakeOwnershipPrivilege	4536	WMIC.exe
Token: SeLoadDriverPrivilege	4536	WMIC.exe
Token: SeSystemProfilePrivilege	4536	WMIC.exe
Token: SeSystemtimePrivilege	4536	WMIC.exe
Token: SeProfSingleProcessPrivilege	4536	WMIC.exe
Token: SeIncBasePriorityPrivilege	4536	WMIC.exe
Token: SeCreatePagefilePrivilege	4536	WMIC.exe
Token: SeBackupPrivilege	4536	WMIC.exe
Token: SeRestorePrivilege	4536	WMIC.exe
Token: SeShutdownPrivilege	4536	WMIC.exe
Token: SeDebugPrivilege	4536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4536	WMIC.exe
Token: SeRemoteShutdownPrivilege	4536	WMIC.exe
Token: SeUndockPrivilege	4536	WMIC.exe
Token: SeManageVolumePrivilege	4536	WMIC.exe
Token: 33	4536	WMIC.exe
Token: 34	4536	WMIC.exe
Token: 35	4536	WMIC.exe
Token: 36	4536	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

6a1d6f9f0d9f038b6bc64ee8d383143d.exeInstallUtil.execmd.execmd.exe

description	pid	process	target process
PID 4436 wrote to memory of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 4436 wrote to memory of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 4436 wrote to memory of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 4436 wrote to memory of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 4436 wrote to memory of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 4436 wrote to memory of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 4436 wrote to memory of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 4436 wrote to memory of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 4436 wrote to memory of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 4436 wrote to memory of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 4436 wrote to memory of 1788	4436	6a1d6f9f0d9f038b6bc64ee8d383143d.exe	InstallUtil.exe
PID 1788 wrote to memory of 2288	1788	InstallUtil.exe	wmic.exe
PID 1788 wrote to memory of 2288	1788	InstallUtil.exe	wmic.exe
PID 1788 wrote to memory of 2288	1788	InstallUtil.exe	wmic.exe
PID 1788 wrote to memory of 4024	1788	InstallUtil.exe	cmd.exe
PID 1788 wrote to memory of 4024	1788	InstallUtil.exe	cmd.exe
PID 1788 wrote to memory of 4024	1788	InstallUtil.exe	cmd.exe
PID 4024 wrote to memory of 4536	4024	cmd.exe	WMIC.exe
PID 4024 wrote to memory of 4536	4024	cmd.exe	WMIC.exe
PID 4024 wrote to memory of 4536	4024	cmd.exe	WMIC.exe
PID 1788 wrote to memory of 1612	1788	InstallUtil.exe	cmd.exe
PID 1788 wrote to memory of 1612	1788	InstallUtil.exe	cmd.exe
PID 1788 wrote to memory of 1612	1788	InstallUtil.exe	cmd.exe
PID 1612 wrote to memory of 4512	1612	cmd.exe	WMIC.exe
PID 1612 wrote to memory of 4512	1612	cmd.exe	WMIC.exe
PID 1612 wrote to memory of 4512	1612	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\6a1d6f9f0d9f038b6bc64ee8d383143d.exe
"C:\Users\Admin\AppData\Local\Temp\6a1d6f9f0d9f038b6bc64ee8d383143d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
dce9b749d38fdc247ab517e8a76e6102

SHA1
d6c5b6548e1a3da3326bd097c50c49fc7906be3f

SHA256
5087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7

SHA512
56c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
92d24961d2ebaacf1ace5463dfc9930d

SHA1
99ffaf6904ab616c33a37ce01d383e4a493df335

SHA256
9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3

SHA512
77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7

Download Submit
memory/1788-138-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-144-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-200-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-140-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-141-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-142-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-143-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-136-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-145-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-146-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-199-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4436-134-0x000000001D7F0000-0x000000001D800000-memory.dmp

Filesize
64KB

Download
memory/4436-135-0x0000000001980000-0x0000000001981000-memory.dmp

Filesize
4KB

Download
memory/4436-133-0x0000000000A30000-0x000000000124A000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing