aurora | 85b1db4b9ec3fec1711a200175bf0244f5148128ae2f984154cd0029926df816

General

Target

5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
Size

4.8MB
MD5

d442830fc92de9465d9bf425922173a5
SHA1

27eaed777470e6a9f855894b2af3c7baa1c812eb
SHA256

5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449
SHA512

1ce42ab9055bf0c15f8f4b90820c8d4c74f348dc1e1833d26f55f61b671cdafee24a0777ea60a3a5cf5b297c31380a79a1a7d0568c81886f2472d265f77c7146
SSDEEP

98304:9j3/I9FTuPXPlGUi317EPTiu0ENWS5ywGDZHU:9/MF4l5GgUEMSrwU

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

138.201.198.8:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe

description	pid	process	target process
PID 1260 set thread context of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1680	wmic.exe
Token: SeSecurityPrivilege	1680	wmic.exe
Token: SeTakeOwnershipPrivilege	1680	wmic.exe
Token: SeLoadDriverPrivilege	1680	wmic.exe
Token: SeSystemProfilePrivilege	1680	wmic.exe
Token: SeSystemtimePrivilege	1680	wmic.exe
Token: SeProfSingleProcessPrivilege	1680	wmic.exe
Token: SeIncBasePriorityPrivilege	1680	wmic.exe
Token: SeCreatePagefilePrivilege	1680	wmic.exe
Token: SeBackupPrivilege	1680	wmic.exe
Token: SeRestorePrivilege	1680	wmic.exe
Token: SeShutdownPrivilege	1680	wmic.exe
Token: SeDebugPrivilege	1680	wmic.exe
Token: SeSystemEnvironmentPrivilege	1680	wmic.exe
Token: SeRemoteShutdownPrivilege	1680	wmic.exe
Token: SeUndockPrivilege	1680	wmic.exe
Token: SeManageVolumePrivilege	1680	wmic.exe
Token: 33	1680	wmic.exe
Token: 34	1680	wmic.exe
Token: 35	1680	wmic.exe
Token: SeIncreaseQuotaPrivilege	1680	wmic.exe
Token: SeSecurityPrivilege	1680	wmic.exe
Token: SeTakeOwnershipPrivilege	1680	wmic.exe
Token: SeLoadDriverPrivilege	1680	wmic.exe
Token: SeSystemProfilePrivilege	1680	wmic.exe
Token: SeSystemtimePrivilege	1680	wmic.exe
Token: SeProfSingleProcessPrivilege	1680	wmic.exe
Token: SeIncBasePriorityPrivilege	1680	wmic.exe
Token: SeCreatePagefilePrivilege	1680	wmic.exe
Token: SeBackupPrivilege	1680	wmic.exe
Token: SeRestorePrivilege	1680	wmic.exe
Token: SeShutdownPrivilege	1680	wmic.exe
Token: SeDebugPrivilege	1680	wmic.exe
Token: SeSystemEnvironmentPrivilege	1680	wmic.exe
Token: SeRemoteShutdownPrivilege	1680	wmic.exe
Token: SeUndockPrivilege	1680	wmic.exe
Token: SeManageVolumePrivilege	1680	wmic.exe
Token: 33	1680	wmic.exe
Token: 34	1680	wmic.exe
Token: 35	1680	wmic.exe
Token: SeIncreaseQuotaPrivilege	884	WMIC.exe
Token: SeSecurityPrivilege	884	WMIC.exe
Token: SeTakeOwnershipPrivilege	884	WMIC.exe
Token: SeLoadDriverPrivilege	884	WMIC.exe
Token: SeSystemProfilePrivilege	884	WMIC.exe
Token: SeSystemtimePrivilege	884	WMIC.exe
Token: SeProfSingleProcessPrivilege	884	WMIC.exe
Token: SeIncBasePriorityPrivilege	884	WMIC.exe
Token: SeCreatePagefilePrivilege	884	WMIC.exe
Token: SeBackupPrivilege	884	WMIC.exe
Token: SeRestorePrivilege	884	WMIC.exe
Token: SeShutdownPrivilege	884	WMIC.exe
Token: SeDebugPrivilege	884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	884	WMIC.exe
Token: SeRemoteShutdownPrivilege	884	WMIC.exe
Token: SeUndockPrivilege	884	WMIC.exe
Token: SeManageVolumePrivilege	884	WMIC.exe
Token: 33	884	WMIC.exe
Token: 34	884	WMIC.exe
Token: 35	884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	884	WMIC.exe
Token: SeSecurityPrivilege	884	WMIC.exe
Token: SeTakeOwnershipPrivilege	884	WMIC.exe
Token: SeLoadDriverPrivilege	884	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.execmd.execmd.exe

description	pid	process	target process
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1260 wrote to memory of 880	1260	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 880 wrote to memory of 1680	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	wmic.exe
PID 880 wrote to memory of 1680	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	wmic.exe
PID 880 wrote to memory of 1680	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	wmic.exe
PID 880 wrote to memory of 1680	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	wmic.exe
PID 880 wrote to memory of 1792	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 880 wrote to memory of 1792	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 880 wrote to memory of 1792	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 880 wrote to memory of 1792	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 1792 wrote to memory of 884	1792	cmd.exe	WMIC.exe
PID 1792 wrote to memory of 884	1792	cmd.exe	WMIC.exe
PID 1792 wrote to memory of 884	1792	cmd.exe	WMIC.exe
PID 1792 wrote to memory of 884	1792	cmd.exe	WMIC.exe
PID 880 wrote to memory of 1204	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 880 wrote to memory of 1204	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 880 wrote to memory of 1204	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 880 wrote to memory of 1204	880	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 1204 wrote to memory of 988	1204	cmd.exe	WMIC.exe
PID 1204 wrote to memory of 988	1204	cmd.exe	WMIC.exe
PID 1204 wrote to memory of 988	1204	cmd.exe	WMIC.exe
PID 1204 wrote to memory of 988	1204	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
"C:\Users\Admin\AppData\Local\Temp\5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
"C:\Users\Admin\AppData\Local\Temp\5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
e5e81f0ae5ba9a2ac3db0a17d3c9f810

SHA1
c2d6bdf002325094ff399b1e4c36df575b48ee4f

SHA256
a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

SHA512
cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

Download Submit
memory/880-64-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-59-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-65-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/880-67-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-60-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-61-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-62-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-63-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-106-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-73-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-72-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-69-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-70-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/880-71-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1260-58-0x0000000000810000-0x000000000082C000-memory.dmp

Filesize
112KB

Download
memory/1260-56-0x0000000004FD0000-0x0000000005010000-memory.dmp

Filesize
256KB

Download
memory/1260-57-0x000000000DF50000-0x000000000E19E000-memory.dmp

Filesize
2.3MB

Download
memory/1260-55-0x0000000006420000-0x0000000006896000-memory.dmp

Filesize
4.5MB

Download
memory/1260-54-0x0000000000EC0000-0x000000000138E000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads