aurora | 9ca89cf3afe2d41cedf5c361a43388d90c6e69ff7625e0209c4b135b2e448d45

General

Target

WWSBot.exe
Size

307.5MB
MD5

9be38374c8a6d743747494d645dbe76b
SHA1

123c3a9149b00d50c2b20aada2c6ae9f3cce55e5
SHA256

9ca89cf3afe2d41cedf5c361a43388d90c6e69ff7625e0209c4b135b2e448d45
SHA512

29dbda5921deb999010379a996f16f0640de891dc85f36e4175f3ec0dd381bfe8c52da05d42408d4b036427ba8d4c00f79149d25280b4cffc291cdb4e0643727
SSDEEP

24576:tN+qbmS6e/1ijwnQFpP1CJUmWw5/Ky9YawDZoaZC0gvbm49kLDA5gHdf6sxJwESo:WqbmSL/0wnQX1C3gk+lKbyf/z1

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.29:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

WWSBot.exe

description pid process target process

PID 2280 set thread context of 4132 2280 WWSBot.exe WWSBot.exe

description	pid	process	target process
PID 2280 set thread context of 4132	2280	WWSBot.exe	WWSBot.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4420	wmic.exe
Token: SeSecurityPrivilege	4420	wmic.exe
Token: SeTakeOwnershipPrivilege	4420	wmic.exe
Token: SeLoadDriverPrivilege	4420	wmic.exe
Token: SeSystemProfilePrivilege	4420	wmic.exe
Token: SeSystemtimePrivilege	4420	wmic.exe
Token: SeProfSingleProcessPrivilege	4420	wmic.exe
Token: SeIncBasePriorityPrivilege	4420	wmic.exe
Token: SeCreatePagefilePrivilege	4420	wmic.exe
Token: SeBackupPrivilege	4420	wmic.exe
Token: SeRestorePrivilege	4420	wmic.exe
Token: SeShutdownPrivilege	4420	wmic.exe
Token: SeDebugPrivilege	4420	wmic.exe
Token: SeSystemEnvironmentPrivilege	4420	wmic.exe
Token: SeRemoteShutdownPrivilege	4420	wmic.exe
Token: SeUndockPrivilege	4420	wmic.exe
Token: SeManageVolumePrivilege	4420	wmic.exe
Token: 33	4420	wmic.exe
Token: 34	4420	wmic.exe
Token: 35	4420	wmic.exe
Token: 36	4420	wmic.exe
Token: SeIncreaseQuotaPrivilege	4420	wmic.exe
Token: SeSecurityPrivilege	4420	wmic.exe
Token: SeTakeOwnershipPrivilege	4420	wmic.exe
Token: SeLoadDriverPrivilege	4420	wmic.exe
Token: SeSystemProfilePrivilege	4420	wmic.exe
Token: SeSystemtimePrivilege	4420	wmic.exe
Token: SeProfSingleProcessPrivilege	4420	wmic.exe
Token: SeIncBasePriorityPrivilege	4420	wmic.exe
Token: SeCreatePagefilePrivilege	4420	wmic.exe
Token: SeBackupPrivilege	4420	wmic.exe
Token: SeRestorePrivilege	4420	wmic.exe
Token: SeShutdownPrivilege	4420	wmic.exe
Token: SeDebugPrivilege	4420	wmic.exe
Token: SeSystemEnvironmentPrivilege	4420	wmic.exe
Token: SeRemoteShutdownPrivilege	4420	wmic.exe
Token: SeUndockPrivilege	4420	wmic.exe
Token: SeManageVolumePrivilege	4420	wmic.exe
Token: 33	4420	wmic.exe
Token: 34	4420	wmic.exe
Token: 35	4420	wmic.exe
Token: 36	4420	wmic.exe
Token: SeIncreaseQuotaPrivilege	3764	WMIC.exe
Token: SeSecurityPrivilege	3764	WMIC.exe
Token: SeTakeOwnershipPrivilege	3764	WMIC.exe
Token: SeLoadDriverPrivilege	3764	WMIC.exe
Token: SeSystemProfilePrivilege	3764	WMIC.exe
Token: SeSystemtimePrivilege	3764	WMIC.exe
Token: SeProfSingleProcessPrivilege	3764	WMIC.exe
Token: SeIncBasePriorityPrivilege	3764	WMIC.exe
Token: SeCreatePagefilePrivilege	3764	WMIC.exe
Token: SeBackupPrivilege	3764	WMIC.exe
Token: SeRestorePrivilege	3764	WMIC.exe
Token: SeShutdownPrivilege	3764	WMIC.exe
Token: SeDebugPrivilege	3764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3764	WMIC.exe
Token: SeRemoteShutdownPrivilege	3764	WMIC.exe
Token: SeUndockPrivilege	3764	WMIC.exe
Token: SeManageVolumePrivilege	3764	WMIC.exe
Token: 33	3764	WMIC.exe
Token: 34	3764	WMIC.exe
Token: 35	3764	WMIC.exe
Token: 36	3764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3764	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WWSBot.exeWWSBot.execmd.execmd.exe

description	pid	process	target process
PID 2280 wrote to memory of 4132	2280	WWSBot.exe	WWSBot.exe
PID 2280 wrote to memory of 4132	2280	WWSBot.exe	WWSBot.exe
PID 2280 wrote to memory of 4132	2280	WWSBot.exe	WWSBot.exe
PID 2280 wrote to memory of 4132	2280	WWSBot.exe	WWSBot.exe
PID 2280 wrote to memory of 4132	2280	WWSBot.exe	WWSBot.exe
PID 2280 wrote to memory of 4132	2280	WWSBot.exe	WWSBot.exe
PID 2280 wrote to memory of 4132	2280	WWSBot.exe	WWSBot.exe
PID 2280 wrote to memory of 4132	2280	WWSBot.exe	WWSBot.exe
PID 2280 wrote to memory of 4132	2280	WWSBot.exe	WWSBot.exe
PID 2280 wrote to memory of 4132	2280	WWSBot.exe	WWSBot.exe
PID 4132 wrote to memory of 4420	4132	WWSBot.exe	wmic.exe
PID 4132 wrote to memory of 4420	4132	WWSBot.exe	wmic.exe
PID 4132 wrote to memory of 316	4132	WWSBot.exe	cmd.exe
PID 4132 wrote to memory of 316	4132	WWSBot.exe	cmd.exe
PID 316 wrote to memory of 3764	316	cmd.exe	WMIC.exe
PID 316 wrote to memory of 3764	316	cmd.exe	WMIC.exe
PID 4132 wrote to memory of 3360	4132	WWSBot.exe	cmd.exe
PID 4132 wrote to memory of 3360	4132	WWSBot.exe	cmd.exe
PID 3360 wrote to memory of 4220	3360	cmd.exe	WMIC.exe
PID 3360 wrote to memory of 4220	3360	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\WWSBot.exe
"C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\WWSBot.exe
"C:\Users\Admin\AppData\Local\Temp\WWSBot.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:4220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
77e31b1123e94ce5720ceb729a425798

SHA1
2b65c95f27d8dca23864a3ed4f78490039ae27bf

SHA256
68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85

SHA512
9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
memory/4132-133-0x0000000000540000-0x000000000089C000-memory.dmp

Filesize
3.4MB

Download
memory/4132-138-0x0000000000540000-0x000000000089C000-memory.dmp

Filesize
3.4MB

Download
memory/4132-143-0x0000000000540000-0x000000000089C000-memory.dmp

Filesize
3.4MB

Download
memory/4132-144-0x0000000000540000-0x000000000089C000-memory.dmp

Filesize
3.4MB

Download
memory/4132-145-0x0000000000540000-0x000000000089C000-memory.dmp

Filesize
3.4MB

Download
memory/4132-146-0x0000000000540000-0x000000000089C000-memory.dmp

Filesize
3.4MB

Download
memory/4132-147-0x0000000000540000-0x000000000089C000-memory.dmp

Filesize
3.4MB

Download
memory/4132-148-0x0000000000540000-0x000000000089C000-memory.dmp

Filesize
3.4MB

Download
memory/4132-149-0x0000000000540000-0x000000000089C000-memory.dmp

Filesize
3.4MB

Download
memory/4132-202-0x0000000000540000-0x000000000089C000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing