aurora | 85b1db4b9ec3fec1711a200175bf0244f5148128ae2f984154cd0029926df816

General

Target

5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
Size

4.8MB
MD5

d442830fc92de9465d9bf425922173a5
SHA1

27eaed777470e6a9f855894b2af3c7baa1c812eb
SHA256

5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449
SHA512

1ce42ab9055bf0c15f8f4b90820c8d4c74f348dc1e1833d26f55f61b671cdafee24a0777ea60a3a5cf5b297c31380a79a1a7d0568c81886f2472d265f77c7146
SSDEEP

98304:9j3/I9FTuPXPlGUi317EPTiu0ENWS5ywGDZHU:9/MF4l5GgUEMSrwU

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

138.201.198.8:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe

description	pid	process	target process
PID 1256 set thread context of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	320	wmic.exe
Token: SeSecurityPrivilege	320	wmic.exe
Token: SeTakeOwnershipPrivilege	320	wmic.exe
Token: SeLoadDriverPrivilege	320	wmic.exe
Token: SeSystemProfilePrivilege	320	wmic.exe
Token: SeSystemtimePrivilege	320	wmic.exe
Token: SeProfSingleProcessPrivilege	320	wmic.exe
Token: SeIncBasePriorityPrivilege	320	wmic.exe
Token: SeCreatePagefilePrivilege	320	wmic.exe
Token: SeBackupPrivilege	320	wmic.exe
Token: SeRestorePrivilege	320	wmic.exe
Token: SeShutdownPrivilege	320	wmic.exe
Token: SeDebugPrivilege	320	wmic.exe
Token: SeSystemEnvironmentPrivilege	320	wmic.exe
Token: SeRemoteShutdownPrivilege	320	wmic.exe
Token: SeUndockPrivilege	320	wmic.exe
Token: SeManageVolumePrivilege	320	wmic.exe
Token: 33	320	wmic.exe
Token: 34	320	wmic.exe
Token: 35	320	wmic.exe
Token: 36	320	wmic.exe
Token: SeIncreaseQuotaPrivilege	320	wmic.exe
Token: SeSecurityPrivilege	320	wmic.exe
Token: SeTakeOwnershipPrivilege	320	wmic.exe
Token: SeLoadDriverPrivilege	320	wmic.exe
Token: SeSystemProfilePrivilege	320	wmic.exe
Token: SeSystemtimePrivilege	320	wmic.exe
Token: SeProfSingleProcessPrivilege	320	wmic.exe
Token: SeIncBasePriorityPrivilege	320	wmic.exe
Token: SeCreatePagefilePrivilege	320	wmic.exe
Token: SeBackupPrivilege	320	wmic.exe
Token: SeRestorePrivilege	320	wmic.exe
Token: SeShutdownPrivilege	320	wmic.exe
Token: SeDebugPrivilege	320	wmic.exe
Token: SeSystemEnvironmentPrivilege	320	wmic.exe
Token: SeRemoteShutdownPrivilege	320	wmic.exe
Token: SeUndockPrivilege	320	wmic.exe
Token: SeManageVolumePrivilege	320	wmic.exe
Token: 33	320	wmic.exe
Token: 34	320	wmic.exe
Token: 35	320	wmic.exe
Token: 36	320	wmic.exe
Token: SeIncreaseQuotaPrivilege	1296	WMIC.exe
Token: SeSecurityPrivilege	1296	WMIC.exe
Token: SeTakeOwnershipPrivilege	1296	WMIC.exe
Token: SeLoadDriverPrivilege	1296	WMIC.exe
Token: SeSystemProfilePrivilege	1296	WMIC.exe
Token: SeSystemtimePrivilege	1296	WMIC.exe
Token: SeProfSingleProcessPrivilege	1296	WMIC.exe
Token: SeIncBasePriorityPrivilege	1296	WMIC.exe
Token: SeCreatePagefilePrivilege	1296	WMIC.exe
Token: SeBackupPrivilege	1296	WMIC.exe
Token: SeRestorePrivilege	1296	WMIC.exe
Token: SeShutdownPrivilege	1296	WMIC.exe
Token: SeDebugPrivilege	1296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1296	WMIC.exe
Token: SeRemoteShutdownPrivilege	1296	WMIC.exe
Token: SeUndockPrivilege	1296	WMIC.exe
Token: SeManageVolumePrivilege	1296	WMIC.exe
Token: 33	1296	WMIC.exe
Token: 34	1296	WMIC.exe
Token: 35	1296	WMIC.exe
Token: 36	1296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1296	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.execmd.execmd.exe

description	pid	process	target process
PID 1256 wrote to memory of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1256 wrote to memory of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1256 wrote to memory of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1256 wrote to memory of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1256 wrote to memory of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1256 wrote to memory of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1256 wrote to memory of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1256 wrote to memory of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1256 wrote to memory of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1256 wrote to memory of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1256 wrote to memory of 1896	1256	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
PID 1896 wrote to memory of 320	1896	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	wmic.exe
PID 1896 wrote to memory of 320	1896	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	wmic.exe
PID 1896 wrote to memory of 320	1896	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	wmic.exe
PID 1896 wrote to memory of 4592	1896	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 1896 wrote to memory of 4592	1896	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 1896 wrote to memory of 4592	1896	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 4592 wrote to memory of 1296	4592	cmd.exe	WMIC.exe
PID 4592 wrote to memory of 1296	4592	cmd.exe	WMIC.exe
PID 4592 wrote to memory of 1296	4592	cmd.exe	WMIC.exe
PID 1896 wrote to memory of 3752	1896	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 1896 wrote to memory of 3752	1896	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 1896 wrote to memory of 3752	1896	5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe	cmd.exe
PID 3752 wrote to memory of 800	3752	cmd.exe	WMIC.exe
PID 3752 wrote to memory of 800	3752	cmd.exe	WMIC.exe
PID 3752 wrote to memory of 800	3752	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
"C:\Users\Admin\AppData\Local\Temp\5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe
"C:\Users\Admin\AppData\Local\Temp\5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
dce9b749d38fdc247ab517e8a76e6102

SHA1
d6c5b6548e1a3da3326bd097c50c49fc7906be3f

SHA256
5087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7

SHA512
56c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
92d24961d2ebaacf1ace5463dfc9930d

SHA1
99ffaf6904ab616c33a37ce01d383e4a493df335

SHA256
9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3

SHA512
77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7

Download Submit
memory/1256-134-0x0000000005E30000-0x0000000005ECC000-memory.dmp

Filesize
624KB

Download
memory/1256-135-0x0000000006480000-0x0000000006A24000-memory.dmp

Filesize
5.6MB

Download
memory/1256-136-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/1256-137-0x0000000005ED0000-0x0000000005F62000-memory.dmp

Filesize
584KB

Download
memory/1256-138-0x0000000005E00000-0x0000000005E0A000-memory.dmp

Filesize
40KB

Download
memory/1256-139-0x00000000060C0000-0x0000000006116000-memory.dmp

Filesize
344KB

Download
memory/1256-133-0x0000000000F70000-0x000000000143E000-memory.dmp

Filesize
4.8MB

Download
memory/1896-142-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-145-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-146-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-147-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-148-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-149-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-150-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-144-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-140-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-203-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads