aurora

Sharing

Copy URL

Twitter E-mail

General

Target

AURORA_STEALER.zip
Size

12.5MB
Sample

230429-tz7fvsbd59
MD5

f92cf33354f85d3212f77bdffe29c8a8
SHA1

b62f535c2ba7fef6351f9cbad2927d5b96f57934
SHA256

792769f4a1732dff62e7bbb838f6f485140447adcf31f5fc07861f00db8a0028
SHA512

74fbb96bda680dbce0b69a59026851e09aa39d73062014d1fd6d6e304c5a550d90accefb1429707553b9726feb877f2e3bbd58c0e0a744607cbf0d0ca941944a
SSDEEP

196608:ZMhaflFZwN3Xib1aV/k/G1fwOn8S1JlNWMtbZPp6Wk4phOBZ0iPEqYmOMc8JuOCj:Z1toiB0/kO1fwO8u9XpphO7HPVvOxEFU

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/tPAFrSUD

Targets

- Target
  
  Aurora.exe
- Size
  
  25.5MB
- MD5
  
  5b5049eee909a12420356f785890ee12
- SHA1
  
  2458920623ab942e1f564cb09ae25fb02b6b76a0
- SHA256
  
  4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0
- SHA512
  
  5c7fecb1d55baa008ee4fa90a08c0a1dbbcb2635082a6df51bdacf6fde9fe878f36769fd8099f5a0c371b3e60e5d4ff8e4097bf38346f7167d0a13c9bcdc310c
- SSDEEP
  
  98304:UlQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxA:QQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRF
Score

10^/10

aurora shurk infostealer stealer evasion persistence
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- Shurk
  Shurk is an infostealer, written in C++ which appeared in 2021.
  infostealer shurk
- Shurk Stealer payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2
- Target
  
  gui/Builder.html
- Size
  
  23KB
- MD5
  
  179d80f9cfcdafce7f35371eba7b7130
- SHA1
  
  9ac5d15e8f7906227ee7e5334ad7c1f4068155fe
- SHA256
  
  6f5a2059d85bb87e672f62c2c435ded3eb6f1b02e91807b70eff00abab141628
- SHA512
  
  6b5f3d1fdd1dee969ee3825cd70bd525876bb1da1fcb85cf456e18f3241a7a3769c1b50253b6e1c7d8be495f8b12443984eaf62a9e9751e2a3df3558f7950a67
- SSDEEP
  
  192:mCf0TMOMiHWRWZl3bCprc8zHWP89YD8KMn+JnOUnVwnB2nDUn3iKt5LwlcRQlIhI:F8n1HWRqX2NZFFFwF4FM0cCM
Score

1^/10
behavioral3 behavioral4
- Target
  
  gui/CHECKER.html
- Size
  
  30KB
- MD5
  
  bbda01f4d78932e8716452e5b44c873c
- SHA1
  
  8f8059d8a82d7a05e8d03d1e8fc2962d7039b3cf
- SHA256
  
  ce8394994ae108d6a0a4fdce1c47afc415a0ff2bf20d7288bf4c0974fd2a4a25
- SHA512
  
  27b4d1b2492aa7fc64360bd019df8df222f4941f71862c793836f6dadaa8e1a58f10e011a47605d393a632b0d67af1fcd8e5203622d05cfbcbffb5da9ecd3375
- SSDEEP
  
  192:af0JOW/yNBVJbCprc8zHWP89YD8KMn+JnOUnVwnB2nDUn3iKt55uuMNq6p+aUNtd:a3W/0BhTuMxTcEuCM
Score

1^/10
behavioral5 behavioral6
- Target
  
  gui/Dashboard.html
- Size
  
  36KB
- MD5
  
  d48d1f160ff80990e5fc123886590158
- SHA1
  
  c3adff2a63b24b1219f31e75aea955cf401fa9f5
- SHA256
  
  eb071635072b9f1ccf127d954ea2678767441e77e5c4554fe6e7d22af1178962
- SHA512
  
  9bd258fd4c0b89fad2524a1c87ee267fab22692902f6d07014787aa09d09975b793aec93264b4af7d86c40d1d90e847f89b0aac3ba10f0c9b7f8931d56769528
- SSDEEP
  
  384:ozjQc7AkpXtr4MspwJoEE7rASHQoYXR3VAUl4AglgAAOT1LM:ozjQc7h74JCSH+3pe1Tq
Score

1^/10
behavioral7 behavioral8
- Target
  
  gui/Loader.html
- Size
  
  27KB
- MD5
  
  53b77ef10f8580f43e5c23ac6f50dadf
- SHA1
  
  5330303de1b34eb091de895bc91fcf22da33d94b
- SHA256
  
  3239679b3ff2d5e397670ec59e71c28826fd0c63d8cfeb350ea15dd2e9cfaaf4
- SHA512
  
  2c38ab2f36ba6f3ae6f76b8458b6ba75b18eb24b16499de4731a743377cda1e9cd08563731518c1cc2ac4bb3467c43654690a383d7cef1ebf61b7a94c608f5a6
- SSDEEP
  
  192:DaCOxrP7PFPOWW3+l3bCprc8zHWP89YD8KMn+JnOUnVwnB2nDUn3iKt5nu0MNq62:DaNxrP7PFPOWWOXr0MuWj7pgQ56JK2CM
Score

1^/10
behavioral10 behavioral9
- Target
  
  gui/SETTINGS.html
- Size
  
  45KB
- MD5
  
  7fe962624d5dd78fe50e9000547f6d7d
- SHA1
  
  be9aaea6cd7093697da01500502f1822979d91f6
- SHA256
  
  910b01ae62ac0c3e71e3a037341e7fb72b22bc9c57edb41c7c5418dac2db8e75
- SHA512
  
  30ed130e18fbadc90e9f05cfd00c6f54274b002a164e540b1e2821e44640c2d897a7aa994a68137e69f320dfee97bd13e80addda66c3fb180909cd2cb76e8132
- SSDEEP
  
  192:NNOcf0Tazjt+WOZl3bCprc8zHWP89YD8KMn+JnOUnVwnB6nDgn3iKt5qNH0MqPCX:Ncc8azjt+WSXfH0MDTmq3iMXGZQxCG6M
Score

1^/10
behavioral11 behavioral12
- Target
  
  gui/assets/docs.js
- Size
  
  430B
- MD5
  
  fc829c7b7378701e2e5f835ab968bba1
- SHA1
  
  0b01be0b43e824c875a5281b5e9c7602b76e2030
- SHA256
  
  5b0ac21a5ab15c795894e558f73071fddd44a116ae675e72249302135db977d8
- SHA512
  
  31ff6432b4578ca1b3d315b079574254cb8aaabfe1e766dbda4cffb9181101669590b55a381f2685e91ac11a27e9b64ed0fc399523323583307592ce0bc10437
Score

1^/10
behavioral13 behavioral14
- Target
  
  gui/inlog.html
- Size
  
  6KB
- MD5
  
  b2b90afba457e3ebd4098dfa49ddcb09
- SHA1
  
  e2480663992878a2c5942e8396840b207dab4175
- SHA256
  
  0a7ff9068f0f60cd2fafb298fee177ca93453665f5ed973503a86f1ea88fe110
- SHA512
  
  909a1727f068f094801f90e213449b738ed56c02c4a49a44da556f8d1368d90da2f2ec9ac8bc031c8d1ed2e45ce0b3bf53c97ea397e9efb3a5daa3275057ad75
- SSDEEP
  
  96:5D15sO500ZLPUARaJX/9itC36wpBr6yxIi/zJocnmd4E+ZR5K6nP5EGE7Me:TOOq09PUAU1FitC3Rz6yxX/zK5qEBwe
Score

1^/10
behavioral15 behavioral16
- Target
  
  gui/jSnow.js
- Size
  
  2KB
- MD5
  
  40ee348bbc051a90be6d0a058acf9567
- SHA1
  
  f8fd2ea9d1c2c86450f10fbce3223138b098e1d2
- SHA256
  
  6302ada99e061de3e4180de11be7d8126db8c6a2d4993e28c35465cd1be58347
- SHA512
  
  fb0cedaf2d207ec52266b8373ba2e4ae02a3ee8cea282c95c635f170c0def7d1433b121247a3aeafd82c11cb4687cacf7d852ee6492e693919fdb5b8c3fd5d45
Score

1^/10
behavioral17 behavioral18
- Target
  
  gui/jquery.js
- Size
  
  87KB
- MD5
  
  dc5e7f18c8d36ac1d3d4753a87c98d0a
- SHA1
  
  c8e1c8b386dc5b7a9184c763c88d19a346eb3342
- SHA256
  
  f7f6a5894f1d19ddad6fa392b2ece2c5e578cbf7da4ea805b6885eb6985b6e3d
- SHA512
  
  6cb4f4426f559c06190df97229c05a436820d21498350ac9f118a5625758435171418a022ed523bae46e668f9f8ea871feab6aff58ad2740b67a30f196d65516
- SSDEEP
  
  1536:AjExXUqrnxDjoXEZxkMV4SYSt0zvDD6ip3h8cApwEjOPrBeU6QLiTFbc0QlQvakF:AYh8eip3huuf6IidlrvakdtQ47GK1
Score

1^/10
behavioral19 behavioral20
- Target
  
  resource/ResourceHacker.exe
- Size
  
  5.4MB
- MD5
  
  b406ef352a5e5260f179e7abd2feb846
- SHA1
  
  faabfd4a58775a9c2240bb07a48b7451506fd984
- SHA256
  
  4ab1a1035588f0c99b00e39d87ef9a0d940437a05802f0e75956ab65149133be
- SHA512
  
  bd10dd1d21dde7ddc77e91a5bc769797fe7388168f71225afac337b9aabb41b362cb6abcac1eac545ad2ec36686b48f6fe52c4036e27f903939e9a73fad6be1b
- SSDEEP
  
  49152:7DDFVHcYex2EIjwg5mSw9EOl3jQ2i5W0OJ6HH0Hk1qZejTggTUQG+xblVMnsNxAe:7P/LEiLMQ2t0OJ6Jq6khQREZK
Score

1^/10
behavioral21 behavioral22

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Tasks

Sharing

General

Malware Config

Extracted

Targets

Shurk

Shurk Stealer payload

Blocklisted process makes network request

Downloads MZ/PE file

Stops running service(s)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22