Overview

overview

10

Static

static

1

C4Client.exe

windows7-x64

10

C4Client.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C4Client.rar

  • Size

    135KB

  • Sample

    230329-d31vgsgc4x

  • MD5

    c11f9838306918f05712098355d046ec

  • SHA1

    4559df5c0087c506f41e090a9f6a8513be5fbd4c

  • SHA256

    57c6178936a9099249ebaf6d831a2d2e2b767c085850dba55f76689c2ef9490a

  • SHA512

    54c92a915fee855707d94b8a01a926b1cadc9b1fb059ae50f96d7752a247cf6c7f72c58693a2806dbfa3f02aeb6983bd722db16d8c2e81bda49da85c4392fb7f

  • SSDEEP

    3072:MSPR37h9APlpOZcpCw110ew0CpJwpjBAxc1Tn8SX1lFmPtEDuGdirunTZ/ur:M4R3n6pGcpCw1LH5AxG17qyuGdhJur

Score
10/10
auroraevasionspywarestealer

Malware Config

Extracted

Family

aurora

C2

107.182.129.73:8081

Targets

    • Target

      C4Client.exe

    • Size

      687.6MB

    • MD5

      6dc896f98f315d59f7ff0a23ec918e68

    • SHA1

      e52e78a5f7eb29cd4eca84e47943fce5028961dd

    • SHA256

      0ce0f0ddf91c200d8a9c91c3c47f807ecc26de890de8e4dc83ec4f5a08404a06

    • SHA512

      2ac4b6f3f9014f33bc6e1a0d8fc741fbba2e6918d35bdf572bf19a4ff3ee576671796a0f52398afd620c67963fe4b6700fe8faae19f47c8517b3658263a30dff

    • SSDEEP

      3072:0nTjRD5V730BSng7tJr8Khw6pItWgAEqjAxou3e7BNIdOAg0FujDvktlL0BjMwmk:G1V7h2r/hwNWgAEqjAKmkAOECjMwm

    Score
    10/10
    auroraevasionspywarestealer

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Modifies security service

      evasion

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Impair Defenses

1
T1562

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks