General

  • Target

    mshta.hta

  • Size

    114KB

  • Sample

    230328-xsmdwscf83

  • MD5

    cc504d2b599df93f30cf9fe27cb00ce2

  • SHA1

    18339e9bf67bbef2815cc0ab99850c16685cbdbd

  • SHA256

    a774163cffc40309ec4399c67a0c24a6c3194695c881429fb62c6019f8b7f66f

  • SHA512

    256a991e62fe3362a4ec6e15982faa036f6892e9babceef49c206198ff96c19a02411149657439c380427595b8693e664397626622515e5a6884acb18de09141

  • SSDEEP

    1536:1xt1AMfJfwOaEVay8UtHcUp3MQRBAGdJd5RoSYceoK7LC4btIwTv67DJw7wRemyW:1xt1TRz84AGdJdjcF7E

Score
10/10

Malware Config

Extracted

Family

aurora

C2

212.87.204.93:8081

Targets

    • Target

      mshta.hta

    • Size

      114KB

    • MD5

      cc504d2b599df93f30cf9fe27cb00ce2

    • SHA1

      18339e9bf67bbef2815cc0ab99850c16685cbdbd

    • SHA256

      a774163cffc40309ec4399c67a0c24a6c3194695c881429fb62c6019f8b7f66f

    • SHA512

      256a991e62fe3362a4ec6e15982faa036f6892e9babceef49c206198ff96c19a02411149657439c380427595b8693e664397626622515e5a6884acb18de09141

    • SSDEEP

      1536:1xt1AMfJfwOaEVay8UtHcUp3MQRBAGdJd5RoSYceoK7LC4btIwTv67DJw7wRemyW:1xt1TRz84AGdJdjcF7E

    Score
    10/10
    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks