aurora | 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e

General

Target

tmp.exe
Size

7.5MB
MD5

1431d295525534f244dd34a8a311b87f
SHA1

2d0d2190ed780bf8dfed135bd1d12cae53860ebe
SHA256

60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e
SHA512

dd7085d43c12c1c7d59be73e66e5797966f7310fdd40ff2979fc770fa6fb5164484661fdfa7b73f8fc7a2dac32a452683f021e56fa4b1135bbbb9d140794ee02
SSDEEP

24576:2H5qGTyaJEUcmADwRqPACrUJJiILBCR5LpWKMuy1rnwNnNQx/PEEDnpfuZWI9pIx:4qGTyMEQADwwACagk+lKo83Vz1

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

45.15.156.172:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 2156 set thread context of 2184 2156 tmp.exe tmp.exe

description	pid	process	target process
PID 2156 set thread context of 2184	2156	tmp.exe	tmp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4136	wmic.exe
Token: SeSecurityPrivilege	4136	wmic.exe
Token: SeTakeOwnershipPrivilege	4136	wmic.exe
Token: SeLoadDriverPrivilege	4136	wmic.exe
Token: SeSystemProfilePrivilege	4136	wmic.exe
Token: SeSystemtimePrivilege	4136	wmic.exe
Token: SeProfSingleProcessPrivilege	4136	wmic.exe
Token: SeIncBasePriorityPrivilege	4136	wmic.exe
Token: SeCreatePagefilePrivilege	4136	wmic.exe
Token: SeBackupPrivilege	4136	wmic.exe
Token: SeRestorePrivilege	4136	wmic.exe
Token: SeShutdownPrivilege	4136	wmic.exe
Token: SeDebugPrivilege	4136	wmic.exe
Token: SeSystemEnvironmentPrivilege	4136	wmic.exe
Token: SeRemoteShutdownPrivilege	4136	wmic.exe
Token: SeUndockPrivilege	4136	wmic.exe
Token: SeManageVolumePrivilege	4136	wmic.exe
Token: 33	4136	wmic.exe
Token: 34	4136	wmic.exe
Token: 35	4136	wmic.exe
Token: 36	4136	wmic.exe
Token: SeIncreaseQuotaPrivilege	4136	wmic.exe
Token: SeSecurityPrivilege	4136	wmic.exe
Token: SeTakeOwnershipPrivilege	4136	wmic.exe
Token: SeLoadDriverPrivilege	4136	wmic.exe
Token: SeSystemProfilePrivilege	4136	wmic.exe
Token: SeSystemtimePrivilege	4136	wmic.exe
Token: SeProfSingleProcessPrivilege	4136	wmic.exe
Token: SeIncBasePriorityPrivilege	4136	wmic.exe
Token: SeCreatePagefilePrivilege	4136	wmic.exe
Token: SeBackupPrivilege	4136	wmic.exe
Token: SeRestorePrivilege	4136	wmic.exe
Token: SeShutdownPrivilege	4136	wmic.exe
Token: SeDebugPrivilege	4136	wmic.exe
Token: SeSystemEnvironmentPrivilege	4136	wmic.exe
Token: SeRemoteShutdownPrivilege	4136	wmic.exe
Token: SeUndockPrivilege	4136	wmic.exe
Token: SeManageVolumePrivilege	4136	wmic.exe
Token: 33	4136	wmic.exe
Token: 34	4136	wmic.exe
Token: 35	4136	wmic.exe
Token: 36	4136	wmic.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemProfilePrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeProfSingleProcessPrivilege	2964	WMIC.exe
Token: SeIncBasePriorityPrivilege	2964	WMIC.exe
Token: SeCreatePagefilePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeDebugPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeRemoteShutdownPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: 33	2964	WMIC.exe
Token: 34	2964	WMIC.exe
Token: 35	2964	WMIC.exe
Token: 36	2964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

tmp.exetmp.execmd.execmd.exe

description	pid	process	target process
PID 2156 wrote to memory of 2184	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 2184	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 2184	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 2184	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 2184	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 2184	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 2184	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 2184	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 2184	2156	tmp.exe	tmp.exe
PID 2156 wrote to memory of 2184	2156	tmp.exe	tmp.exe
PID 2184 wrote to memory of 4136	2184	tmp.exe	wmic.exe
PID 2184 wrote to memory of 4136	2184	tmp.exe	wmic.exe
PID 2184 wrote to memory of 3044	2184	tmp.exe	cmd.exe
PID 2184 wrote to memory of 3044	2184	tmp.exe	cmd.exe
PID 3044 wrote to memory of 2964	3044	cmd.exe	WMIC.exe
PID 3044 wrote to memory of 2964	3044	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4992	2184	tmp.exe	cmd.exe
PID 2184 wrote to memory of 4992	2184	tmp.exe	cmd.exe
PID 4992 wrote to memory of 1040	4992	cmd.exe	WMIC.exe
PID 4992 wrote to memory of 1040	4992	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
8c7576873886d730d55e52070f35fea0

SHA1
cf8b732cb49dad4e69c8948a6f0b7b87b9b0ccf1

SHA256
06b631bf6ea97d79ea2215efa0323aab64bd1b53283ef8640c2a8fd37cac9caa

SHA512
374dff92bb31dfb74ec66084dcc8764e166f4adc7c57113d813b430e420b8bcc9e1300aae5f4b2ff09ad3d5b152a8240901ed3acfc76c4788d9ad3442cd2db28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
72KB

MD5
5aeeafe26d1e0441647e0b0d7b880c81

SHA1
45a00f65a99d1cec35bd6a21891ac469a86f451c

SHA256
c94d79620e27865ba796be4cbfd98087da8a47f78e07e7220084de05354381dd

SHA512
3e70b065b194f14f1ec2735b6003943b492c29a78e12029ae42574cda7fdc785c24eae0c98fbd9a1167ac938387d78aead68688299e3aaf1971794938ab903c5

Download Submit
memory/2184-133-0x0000000000960000-0x0000000000CBC000-memory.dmp

Filesize
3.4MB

Download
memory/2184-138-0x0000000000960000-0x0000000000CBC000-memory.dmp

Filesize
3.4MB

Download
memory/2184-143-0x0000000000960000-0x0000000000CBC000-memory.dmp

Filesize
3.4MB

Download
memory/2184-144-0x0000000000960000-0x0000000000CBC000-memory.dmp

Filesize
3.4MB

Download
memory/2184-145-0x0000000000960000-0x0000000000CBC000-memory.dmp

Filesize
3.4MB

Download
memory/2184-146-0x0000000000960000-0x0000000000CBC000-memory.dmp

Filesize
3.4MB

Download
memory/2184-147-0x0000000000960000-0x0000000000CBC000-memory.dmp

Filesize
3.4MB

Download
memory/2184-148-0x0000000000960000-0x0000000000CBC000-memory.dmp

Filesize
3.4MB

Download
memory/2184-149-0x0000000000960000-0x0000000000CBC000-memory.dmp

Filesize
3.4MB

Download
memory/2184-204-0x0000000000960000-0x0000000000CBC000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing