General
-
Target
C4Loader.exe
-
Size
855KB
-
Sample
230404-ntdnpsef44
-
MD5
c5da2ceab187e9312e30ada95a65b7df
-
SHA1
d79c14118f6a767447da7bb25c752fa5861be201
-
SHA256
fb0c637754e3546971be2c4ba4aa9e63f54948421c751b74e748f1fb3bbae955
-
SHA512
e4bb03aaaeef87a774787a03554559cda2c0d14495ad8fc9e7728d702819562f7975cabfc713625a83cb167da3b377a80e12674a28932d7da650a78403468c3e
-
SSDEEP
3072:/gtlYTIQ2Y0A2Zf4DGrHUNc8z44jcK1Y3Vmirw:IvQ25A/i4jwK1YJ8
Malware Config
Extracted
aurora
107.182.129.73:8081
Targets
-
-
Target
C4Loader.exe
-
Size
855KB
-
MD5
c5da2ceab187e9312e30ada95a65b7df
-
SHA1
d79c14118f6a767447da7bb25c752fa5861be201
-
SHA256
fb0c637754e3546971be2c4ba4aa9e63f54948421c751b74e748f1fb3bbae955
-
SHA512
e4bb03aaaeef87a774787a03554559cda2c0d14495ad8fc9e7728d702819562f7975cabfc713625a83cb167da3b377a80e12674a28932d7da650a78403468c3e
-
SSDEEP
3072:/gtlYTIQ2Y0A2Zf4DGrHUNc8z44jcK1Y3Vmirw:IvQ25A/i4jwK1YJ8
Score10/10-
Aurora
Aurora is a crypto wallet stealer written in Golang.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-