aurora | 9ca89cf3afe2d41cedf5c361a43388d90c6e69ff7625e0209c4b135b2e448d45

General

Target

WWSBot.exe
Size

307.5MB
MD5

9be38374c8a6d743747494d645dbe76b
SHA1

123c3a9149b00d50c2b20aada2c6ae9f3cce55e5
SHA256

9ca89cf3afe2d41cedf5c361a43388d90c6e69ff7625e0209c4b135b2e448d45
SHA512

29dbda5921deb999010379a996f16f0640de891dc85f36e4175f3ec0dd381bfe8c52da05d42408d4b036427ba8d4c00f79149d25280b4cffc291cdb4e0643727
SSDEEP

24576:tN+qbmS6e/1ijwnQFpP1CJUmWw5/Ky9YawDZoaZC0gvbm49kLDA5gHdf6sxJwESo:WqbmSL/0wnQX1C3gk+lKbyf/z1

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.29:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

WWSBot.exe

description pid process target process

PID 1172 set thread context of 1044 1172 WWSBot.exe WWSBot.exe

description	pid	process	target process
PID 1172 set thread context of 1044	1172	WWSBot.exe	WWSBot.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1388	wmic.exe
Token: SeSecurityPrivilege	1388	wmic.exe
Token: SeTakeOwnershipPrivilege	1388	wmic.exe
Token: SeLoadDriverPrivilege	1388	wmic.exe
Token: SeSystemProfilePrivilege	1388	wmic.exe
Token: SeSystemtimePrivilege	1388	wmic.exe
Token: SeProfSingleProcessPrivilege	1388	wmic.exe
Token: SeIncBasePriorityPrivilege	1388	wmic.exe
Token: SeCreatePagefilePrivilege	1388	wmic.exe
Token: SeBackupPrivilege	1388	wmic.exe
Token: SeRestorePrivilege	1388	wmic.exe
Token: SeShutdownPrivilege	1388	wmic.exe
Token: SeDebugPrivilege	1388	wmic.exe
Token: SeSystemEnvironmentPrivilege	1388	wmic.exe
Token: SeRemoteShutdownPrivilege	1388	wmic.exe
Token: SeUndockPrivilege	1388	wmic.exe
Token: SeManageVolumePrivilege	1388	wmic.exe
Token: 33	1388	wmic.exe
Token: 34	1388	wmic.exe
Token: 35	1388	wmic.exe
Token: SeIncreaseQuotaPrivilege	1388	wmic.exe
Token: SeSecurityPrivilege	1388	wmic.exe
Token: SeTakeOwnershipPrivilege	1388	wmic.exe
Token: SeLoadDriverPrivilege	1388	wmic.exe
Token: SeSystemProfilePrivilege	1388	wmic.exe
Token: SeSystemtimePrivilege	1388	wmic.exe
Token: SeProfSingleProcessPrivilege	1388	wmic.exe
Token: SeIncBasePriorityPrivilege	1388	wmic.exe
Token: SeCreatePagefilePrivilege	1388	wmic.exe
Token: SeBackupPrivilege	1388	wmic.exe
Token: SeRestorePrivilege	1388	wmic.exe
Token: SeShutdownPrivilege	1388	wmic.exe
Token: SeDebugPrivilege	1388	wmic.exe
Token: SeSystemEnvironmentPrivilege	1388	wmic.exe
Token: SeRemoteShutdownPrivilege	1388	wmic.exe
Token: SeUndockPrivilege	1388	wmic.exe
Token: SeManageVolumePrivilege	1388	wmic.exe
Token: 33	1388	wmic.exe
Token: 34	1388	wmic.exe
Token: 35	1388	wmic.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe
Token: SeIncBasePriorityPrivilege	2036	WMIC.exe
Token: SeCreatePagefilePrivilege	2036	WMIC.exe
Token: SeBackupPrivilege	2036	WMIC.exe
Token: SeRestorePrivilege	2036	WMIC.exe
Token: SeShutdownPrivilege	2036	WMIC.exe
Token: SeDebugPrivilege	2036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2036	WMIC.exe
Token: SeRemoteShutdownPrivilege	2036	WMIC.exe
Token: SeUndockPrivilege	2036	WMIC.exe
Token: SeManageVolumePrivilege	2036	WMIC.exe
Token: 33	2036	WMIC.exe
Token: 34	2036	WMIC.exe
Token: 35	2036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

WWSBot.exeWWSBot.execmd.execmd.exe

description	pid	process	target process
PID 1172 wrote to memory of 1044	1172	WWSBot.exe	WWSBot.exe
PID 1172 wrote to memory of 1044	1172	WWSBot.exe	WWSBot.exe
PID 1172 wrote to memory of 1044	1172	WWSBot.exe	WWSBot.exe
PID 1172 wrote to memory of 1044	1172	WWSBot.exe	WWSBot.exe
PID 1172 wrote to memory of 1044	1172	WWSBot.exe	WWSBot.exe
PID 1172 wrote to memory of 1044	1172	WWSBot.exe	WWSBot.exe
PID 1172 wrote to memory of 1044	1172	WWSBot.exe	WWSBot.exe
PID 1172 wrote to memory of 1044	1172	WWSBot.exe	WWSBot.exe
PID 1172 wrote to memory of 1044	1172	WWSBot.exe	WWSBot.exe
PID 1172 wrote to memory of 1044	1172	WWSBot.exe	WWSBot.exe
PID 1172 wrote to memory of 1044	1172	WWSBot.exe	WWSBot.exe
PID 1044 wrote to memory of 1388	1044	WWSBot.exe	wmic.exe
PID 1044 wrote to memory of 1388	1044	WWSBot.exe	wmic.exe
PID 1044 wrote to memory of 1388	1044	WWSBot.exe	wmic.exe
PID 1044 wrote to memory of 664	1044	WWSBot.exe	cmd.exe
PID 1044 wrote to memory of 664	1044	WWSBot.exe	cmd.exe
PID 1044 wrote to memory of 664	1044	WWSBot.exe	cmd.exe
PID 664 wrote to memory of 2036	664	cmd.exe	WMIC.exe
PID 664 wrote to memory of 2036	664	cmd.exe	WMIC.exe
PID 664 wrote to memory of 2036	664	cmd.exe	WMIC.exe
PID 1044 wrote to memory of 892	1044	WWSBot.exe	cmd.exe
PID 1044 wrote to memory of 892	1044	WWSBot.exe	cmd.exe
PID 1044 wrote to memory of 892	1044	WWSBot.exe	cmd.exe
PID 892 wrote to memory of 296	892	cmd.exe	WMIC.exe
PID 892 wrote to memory of 296	892	cmd.exe	WMIC.exe
PID 892 wrote to memory of 296	892	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\WWSBot.exe
"C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\WWSBot.exe
"C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
e5e81f0ae5ba9a2ac3db0a17d3c9f810

SHA1
c2d6bdf002325094ff399b1e4c36df575b48ee4f

SHA256
a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

SHA512
cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

Download Submit
memory/1044-62-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-59-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-64-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-58-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-65-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-60-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-61-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/1044-66-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-57-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-56-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-54-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-67-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-68-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-69-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-70-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-55-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1044-102-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing