aurora | b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

7.5MB
MD5

cc1ea92ccab2960cedad3783799f56bb
SHA1

08c93ee33fc4c4486b710781da848acb259233c8
SHA256

b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8
SHA512

62c8b32f74e4ee0bd427c6025e51ae2b652184d5fb79ac41e0dcebc6bb1c2bebe1920f4e0edb21bbe21125fe6d0f418cfaef4b6b8dc5f5a2e0744cf560257049
SSDEEP

24576:mATqsCp2Y4QpiwrVFwPteCpZTbceUIqzjoLh+joixy//qE522wuZ3/cRDJRkAYq8:pqsCpx4RwrVaoCrgk+lK1EbMz1

Score

10^/10

aurora stealer

Malware Config

Extracted

Family

aurora

94.142.138.94:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1612 set thread context of 932 1612 tmp.exe tmp.exe

description	pid	process	target process
PID 1612 set thread context of 932	1612	tmp.exe	tmp.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1612 wrote to memory of 932	1612	tmp.exe	tmp.exe
PID 1612 wrote to memory of 932	1612	tmp.exe	tmp.exe
PID 1612 wrote to memory of 932	1612	tmp.exe	tmp.exe
PID 1612 wrote to memory of 932	1612	tmp.exe	tmp.exe
PID 1612 wrote to memory of 932	1612	tmp.exe	tmp.exe
PID 1612 wrote to memory of 932	1612	tmp.exe	tmp.exe
PID 1612 wrote to memory of 932	1612	tmp.exe	tmp.exe
PID 1612 wrote to memory of 932	1612	tmp.exe	tmp.exe
PID 1612 wrote to memory of 932	1612	tmp.exe	tmp.exe
PID 1612 wrote to memory of 932	1612	tmp.exe	tmp.exe
PID 1612 wrote to memory of 932	1612	tmp.exe	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
PID:932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-54-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-55-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-56-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-57-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-58-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-59-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-60-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-61-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/932-62-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-64-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-65-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-66-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-67-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-68-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-69-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-70-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-71-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-72-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-73-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-74-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-75-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-76-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-77-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-78-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-79-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-80-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-81-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-82-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-83-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/932-84-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download