aurora | 9ca89cf3afe2d41cedf5c361a43388d90c6e69ff7625e0209c4b135b2e448d45 | Triage

Sharing

General

Target

WWSBot.exe
Size

307.5MB
Sample

230327-jl3kmscd26
MD5

9be38374c8a6d743747494d645dbe76b
SHA1

123c3a9149b00d50c2b20aada2c6ae9f3cce55e5
SHA256

9ca89cf3afe2d41cedf5c361a43388d90c6e69ff7625e0209c4b135b2e448d45
SHA512

29dbda5921deb999010379a996f16f0640de891dc85f36e4175f3ec0dd381bfe8c52da05d42408d4b036427ba8d4c00f79149d25280b4cffc291cdb4e0643727
SSDEEP

24576:tN+qbmS6e/1ijwnQFpP1CJUmWw5/Ky9YawDZoaZC0gvbm49kLDA5gHdf6sxJwESo:WqbmSL/0wnQX1C3gk+lKbyf/z1

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.29:8081

Targets

- Target
  
  WWSBot.exe
- Size
  
  307.5MB
- MD5
  
  9be38374c8a6d743747494d645dbe76b
- SHA1
  
  123c3a9149b00d50c2b20aada2c6ae9f3cce55e5
- SHA256
  
  9ca89cf3afe2d41cedf5c361a43388d90c6e69ff7625e0209c4b135b2e448d45
- SHA512
  
  29dbda5921deb999010379a996f16f0640de891dc85f36e4175f3ec0dd381bfe8c52da05d42408d4b036427ba8d4c00f79149d25280b4cffc291cdb4e0643727
- SSDEEP
  
  24576:tN+qbmS6e/1ijwnQFpP1CJUmWw5/Ky9YawDZoaZC0gvbm49kLDA5gHdf6sxJwESo:WqbmSL/0wnQX1C3gk+lKbyf/z1
Score

10^/10

aurora spyware stealer
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

auroraspywarestealer

behavioral2

auroraspywarestealer