aurora | 9e82f4feac500f219662c11c5036343cccd46f8ff3133f6ff2dfddf2f3946270

General

Target

60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
Size

7.5MB
MD5

1431d295525534f244dd34a8a311b87f
SHA1

2d0d2190ed780bf8dfed135bd1d12cae53860ebe
SHA256

60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e
SHA512

dd7085d43c12c1c7d59be73e66e5797966f7310fdd40ff2979fc770fa6fb5164484661fdfa7b73f8fc7a2dac32a452683f021e56fa4b1135bbbb9d140794ee02
SSDEEP

24576:2H5qGTyaJEUcmADwRqPACrUJJiILBCR5LpWKMuy1rnwNnNQx/PEEDnpfuZWI9pIx:4qGTyMEQADwwACagk+lKo83Vz1

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

45.15.156.172:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe

description	pid	process	target process
PID 4520 set thread context of 2276	4520	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4436	wmic.exe
Token: SeSecurityPrivilege	4436	wmic.exe
Token: SeTakeOwnershipPrivilege	4436	wmic.exe
Token: SeLoadDriverPrivilege	4436	wmic.exe
Token: SeSystemProfilePrivilege	4436	wmic.exe
Token: SeSystemtimePrivilege	4436	wmic.exe
Token: SeProfSingleProcessPrivilege	4436	wmic.exe
Token: SeIncBasePriorityPrivilege	4436	wmic.exe
Token: SeCreatePagefilePrivilege	4436	wmic.exe
Token: SeBackupPrivilege	4436	wmic.exe
Token: SeRestorePrivilege	4436	wmic.exe
Token: SeShutdownPrivilege	4436	wmic.exe
Token: SeDebugPrivilege	4436	wmic.exe
Token: SeSystemEnvironmentPrivilege	4436	wmic.exe
Token: SeRemoteShutdownPrivilege	4436	wmic.exe
Token: SeUndockPrivilege	4436	wmic.exe
Token: SeManageVolumePrivilege	4436	wmic.exe
Token: 33	4436	wmic.exe
Token: 34	4436	wmic.exe
Token: 35	4436	wmic.exe
Token: 36	4436	wmic.exe
Token: SeIncreaseQuotaPrivilege	4436	wmic.exe
Token: SeSecurityPrivilege	4436	wmic.exe
Token: SeTakeOwnershipPrivilege	4436	wmic.exe
Token: SeLoadDriverPrivilege	4436	wmic.exe
Token: SeSystemProfilePrivilege	4436	wmic.exe
Token: SeSystemtimePrivilege	4436	wmic.exe
Token: SeProfSingleProcessPrivilege	4436	wmic.exe
Token: SeIncBasePriorityPrivilege	4436	wmic.exe
Token: SeCreatePagefilePrivilege	4436	wmic.exe
Token: SeBackupPrivilege	4436	wmic.exe
Token: SeRestorePrivilege	4436	wmic.exe
Token: SeShutdownPrivilege	4436	wmic.exe
Token: SeDebugPrivilege	4436	wmic.exe
Token: SeSystemEnvironmentPrivilege	4436	wmic.exe
Token: SeRemoteShutdownPrivilege	4436	wmic.exe
Token: SeUndockPrivilege	4436	wmic.exe
Token: SeManageVolumePrivilege	4436	wmic.exe
Token: 33	4436	wmic.exe
Token: 34	4436	wmic.exe
Token: 35	4436	wmic.exe
Token: 36	4436	wmic.exe
Token: SeIncreaseQuotaPrivilege	4172	WMIC.exe
Token: SeSecurityPrivilege	4172	WMIC.exe
Token: SeTakeOwnershipPrivilege	4172	WMIC.exe
Token: SeLoadDriverPrivilege	4172	WMIC.exe
Token: SeSystemProfilePrivilege	4172	WMIC.exe
Token: SeSystemtimePrivilege	4172	WMIC.exe
Token: SeProfSingleProcessPrivilege	4172	WMIC.exe
Token: SeIncBasePriorityPrivilege	4172	WMIC.exe
Token: SeCreatePagefilePrivilege	4172	WMIC.exe
Token: SeBackupPrivilege	4172	WMIC.exe
Token: SeRestorePrivilege	4172	WMIC.exe
Token: SeShutdownPrivilege	4172	WMIC.exe
Token: SeDebugPrivilege	4172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4172	WMIC.exe
Token: SeRemoteShutdownPrivilege	4172	WMIC.exe
Token: SeUndockPrivilege	4172	WMIC.exe
Token: SeManageVolumePrivilege	4172	WMIC.exe
Token: 33	4172	WMIC.exe
Token: 34	4172	WMIC.exe
Token: 35	4172	WMIC.exe
Token: 36	4172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4172	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.execmd.execmd.exe

description	pid	process	target process
PID 4520 wrote to memory of 2276	4520	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276	4520	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276	4520	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276	4520	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276	4520	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276	4520	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276	4520	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276	4520	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276	4520	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276	4520	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 2276 wrote to memory of 4436	2276	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	wmic.exe
PID 2276 wrote to memory of 4436	2276	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	wmic.exe
PID 2276 wrote to memory of 1008	2276	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	cmd.exe
PID 2276 wrote to memory of 1008	2276	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	cmd.exe
PID 1008 wrote to memory of 4172	1008	cmd.exe	WMIC.exe
PID 1008 wrote to memory of 4172	1008	cmd.exe	WMIC.exe
PID 2276 wrote to memory of 1408	2276	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	cmd.exe
PID 2276 wrote to memory of 1408	2276	60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe	cmd.exe
PID 1408 wrote to memory of 3932	1408	cmd.exe	WMIC.exe
PID 1408 wrote to memory of 3932	1408	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:3932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
dd7a4110e2dc0760efdd47ee918c0deb

SHA1
5ed5efe128e521023e0caf4fff9af747522c8166

SHA256
550ad8794d9ec26bc7e09225cb1cbe648ee7c1c2349aabec8172f08bdec26084

SHA512
c928725e5f010d371727aadcc057da91378a0b24c66b2848217e9186dd319b6bf09c0859d7bf523ff1736fc41591eb25662a900fbe3977b63132a0c40dcd35dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
dc2b0f48d8f547d5ff7d67b371d850f0

SHA1
84d02ddbf478bf7cfe9ccb466362860ee18b3839

SHA256
0434c46910f48821a0a442b510260a3faea9404d7e6a8edd2cf44cc7dfea3890

SHA512
3470ae3db7053a7e606a221f97f8cadf58500a746daaa4c763d714fe99df026d1c7858aaaf6d34ec1bbaa5305f8eead00101b6a7ac6f4d457425d04bcf92e8d7

Download Submit
memory/2276-147-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download
memory/2276-144-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download
memory/2276-146-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download
memory/2276-145-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download
memory/2276-133-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download
memory/2276-148-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download
memory/2276-150-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download
memory/2276-151-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download
memory/2276-143-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download
memory/2276-138-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download
memory/2276-206-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download
memory/2276-207-0x0000000000C20000-0x0000000000F7C000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads