aurora | 9012d01ae4d6db135651b4322c96846544d8e323ecafe5754026f7ea0c320d5e | Triage

Submit
Reports

Overview

overview

Static

static

7

bde9b23fbe...90.exe

windows7-x64

7

bde9b23fbe...90.exe

windows10-2004-x64

Sharing

General

Target

bde9b23fbe4f12e5ff686c17cc9d9490.exe
Size

16.0MB
Sample

230413-qsdcnabf89
MD5

bde9b23fbe4f12e5ff686c17cc9d9490
SHA1

f0a99fc9abe817705fcae04ec626abf263ffcc32
SHA256

9012d01ae4d6db135651b4322c96846544d8e323ecafe5754026f7ea0c320d5e
SHA512

6f6fcad5783c4c1ab309f4a8950026fd063de6059f98e24e3b460095a665b2d54168c07c3fd42f0644f002adb3a2f91f80fbabdd852a19205b45c5643e6ddfe1
SSDEEP

98304:J2nlZSn0kF9Eh5euL3iuSr0/r5CBTZ8o0xnbREEwegXnrMOiRwF:AnlZSn0kF9Eh5sr0Ny09bREEweanI6

Score

10^/10

aurora persistence spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bde9b23fbe4f12e5ff686c17cc9d9490.exe

Resource

win7-20230220-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

bde9b23fbe4f12e5ff686c17cc9d9490.exe

Resource

win10v2004-20230220-en

aurora persistence spyware stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

aurora

C2

185.106.93.153:8081

Targets

- Target
  
  bde9b23fbe4f12e5ff686c17cc9d9490.exe
- Size
  
  16.0MB
- MD5
  
  bde9b23fbe4f12e5ff686c17cc9d9490
- SHA1
  
  f0a99fc9abe817705fcae04ec626abf263ffcc32
- SHA256
  
  9012d01ae4d6db135651b4322c96846544d8e323ecafe5754026f7ea0c320d5e
- SHA512
  
  6f6fcad5783c4c1ab309f4a8950026fd063de6059f98e24e3b460095a665b2d54168c07c3fd42f0644f002adb3a2f91f80fbabdd852a19205b45c5643e6ddfe1
- SSDEEP
  
  98304:J2nlZSn0kF9Eh5euL3iuSr0/r5CBTZ8o0xnbREEwegXnrMOiRwF:AnlZSn0kF9Eh5sr0Ny09bREEweanI6
Score

10^/10

aurora persistence spyware stealer
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

aurorapersistencespywarestealer

© 2018-2024

Terms | Privacy