aurora | 9e82f4feac500f219662c11c5036343cccd46f8ff3133f6ff2dfddf2f3946270

General

Target

60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
Size

7.5MB
MD5

1431d295525534f244dd34a8a311b87f
SHA1

2d0d2190ed780bf8dfed135bd1d12cae53860ebe
SHA256

60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e
SHA512

dd7085d43c12c1c7d59be73e66e5797966f7310fdd40ff2979fc770fa6fb5164484661fdfa7b73f8fc7a2dac32a452683f021e56fa4b1135bbbb9d140794ee02
SSDEEP

24576:2H5qGTyaJEUcmADwRqPACrUJJiILBCR5LpWKMuy1rnwNnNQx/PEEDnpfuZWI9pIx:4qGTyMEQADwwACagk+lKo83Vz1

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

45.15.156.172:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe

description	pid	process	target process
PID 928 set thread context of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1664	wmic.exe
Token: SeSecurityPrivilege	1664	wmic.exe
Token: SeTakeOwnershipPrivilege	1664	wmic.exe
Token: SeLoadDriverPrivilege	1664	wmic.exe
Token: SeSystemProfilePrivilege	1664	wmic.exe
Token: SeSystemtimePrivilege	1664	wmic.exe
Token: SeProfSingleProcessPrivilege	1664	wmic.exe
Token: SeIncBasePriorityPrivilege	1664	wmic.exe
Token: SeCreatePagefilePrivilege	1664	wmic.exe
Token: SeBackupPrivilege	1664	wmic.exe
Token: SeRestorePrivilege	1664	wmic.exe
Token: SeShutdownPrivilege	1664	wmic.exe
Token: SeDebugPrivilege	1664	wmic.exe
Token: SeSystemEnvironmentPrivilege	1664	wmic.exe
Token: SeRemoteShutdownPrivilege	1664	wmic.exe
Token: SeUndockPrivilege	1664	wmic.exe
Token: SeManageVolumePrivilege	1664	wmic.exe
Token: 33	1664	wmic.exe
Token: 34	1664	wmic.exe
Token: 35	1664	wmic.exe
Token: SeIncreaseQuotaPrivilege	1664	wmic.exe
Token: SeSecurityPrivilege	1664	wmic.exe
Token: SeTakeOwnershipPrivilege	1664	wmic.exe
Token: SeLoadDriverPrivilege	1664	wmic.exe
Token: SeSystemProfilePrivilege	1664	wmic.exe
Token: SeSystemtimePrivilege	1664	wmic.exe
Token: SeProfSingleProcessPrivilege	1664	wmic.exe
Token: SeIncBasePriorityPrivilege	1664	wmic.exe
Token: SeCreatePagefilePrivilege	1664	wmic.exe
Token: SeBackupPrivilege	1664	wmic.exe
Token: SeRestorePrivilege	1664	wmic.exe
Token: SeShutdownPrivilege	1664	wmic.exe
Token: SeDebugPrivilege	1664	wmic.exe
Token: SeSystemEnvironmentPrivilege	1664	wmic.exe
Token: SeRemoteShutdownPrivilege	1664	wmic.exe
Token: SeUndockPrivilege	1664	wmic.exe
Token: SeManageVolumePrivilege	1664	wmic.exe
Token: 33	1664	wmic.exe
Token: 34	1664	wmic.exe
Token: 35	1664	wmic.exe
Token: SeIncreaseQuotaPrivilege	1916	WMIC.exe
Token: SeSecurityPrivilege	1916	WMIC.exe
Token: SeTakeOwnershipPrivilege	1916	WMIC.exe
Token: SeLoadDriverPrivilege	1916	WMIC.exe
Token: SeSystemProfilePrivilege	1916	WMIC.exe
Token: SeSystemtimePrivilege	1916	WMIC.exe
Token: SeProfSingleProcessPrivilege	1916	WMIC.exe
Token: SeIncBasePriorityPrivilege	1916	WMIC.exe
Token: SeCreatePagefilePrivilege	1916	WMIC.exe
Token: SeBackupPrivilege	1916	WMIC.exe
Token: SeRestorePrivilege	1916	WMIC.exe
Token: SeShutdownPrivilege	1916	WMIC.exe
Token: SeDebugPrivilege	1916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1916	WMIC.exe
Token: SeRemoteShutdownPrivilege	1916	WMIC.exe
Token: SeUndockPrivilege	1916	WMIC.exe
Token: SeManageVolumePrivilege	1916	WMIC.exe
Token: 33	1916	WMIC.exe
Token: 34	1916	WMIC.exe
Token: 35	1916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1916	WMIC.exe
Token: SeSecurityPrivilege	1916	WMIC.exe
Token: SeTakeOwnershipPrivilege	1916	WMIC.exe
Token: SeLoadDriverPrivilege	1916	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.execmd.execmd.exe

description	pid	process	target process
PID 928 wrote to memory of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924	928	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 924 wrote to memory of 1664	924	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	wmic.exe
PID 924 wrote to memory of 1664	924	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	wmic.exe
PID 924 wrote to memory of 1664	924	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	wmic.exe
PID 924 wrote to memory of 884	924	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	cmd.exe
PID 924 wrote to memory of 884	924	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	cmd.exe
PID 924 wrote to memory of 884	924	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	cmd.exe
PID 884 wrote to memory of 1916	884	cmd.exe	WMIC.exe
PID 884 wrote to memory of 1916	884	cmd.exe	WMIC.exe
PID 884 wrote to memory of 1916	884	cmd.exe	WMIC.exe
PID 924 wrote to memory of 336	924	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	cmd.exe
PID 924 wrote to memory of 336	924	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	cmd.exe
PID 924 wrote to memory of 336	924	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	cmd.exe
PID 336 wrote to memory of 1644	336	cmd.exe	WMIC.exe
PID 336 wrote to memory of 1644	336	cmd.exe	WMIC.exe
PID 336 wrote to memory of 1644	336	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
6a3c2fe239e67cd5804a699b9aa54b07

SHA1
018091f0c903173dec18cd10e0e00889f0717d67

SHA256
160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168

SHA512
aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37

Download Submit
memory/924-62-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-59-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-64-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-58-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-65-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-60-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-61-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/924-66-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-57-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-56-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-54-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-67-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-68-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-69-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-55-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-103-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/924-104-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads