aurora | 4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0 | Triage

Submit
Reports

Overview

overview

Static

static

Aurora.exe

windows7-x64

Aurora.exe

windows10-2004-x64

Sharing

General

Target

Aurora.exe
Size

25.5MB
Sample

230501-mtwc3sha7y
MD5

5b5049eee909a12420356f785890ee12
SHA1

2458920623ab942e1f564cb09ae25fb02b6b76a0
SHA256

4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0
SHA512

5c7fecb1d55baa008ee4fa90a08c0a1dbbcb2635082a6df51bdacf6fde9fe878f36769fd8099f5a0c371b3e60e5d4ff8e4097bf38346f7167d0a13c9bcdc310c
SSDEEP

98304:UlQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxA:QQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRF

Score

10^/10

aurora shurk evasion infostealer persistence stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

Aurora.exe

Resource

win7-20230220-en

aurora shurk infostealer stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Aurora.exe

Resource

win10v2004-20230220-en

aurora shurk evasion infostealer persistence stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/tPAFrSUD

Targets

- Target
  
  Aurora.exe
- Size
  
  25.5MB
- MD5
  
  5b5049eee909a12420356f785890ee12
- SHA1
  
  2458920623ab942e1f564cb09ae25fb02b6b76a0
- SHA256
  
  4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0
- SHA512
  
  5c7fecb1d55baa008ee4fa90a08c0a1dbbcb2635082a6df51bdacf6fde9fe878f36769fd8099f5a0c371b3e60e5d4ff8e4097bf38346f7167d0a13c9bcdc310c
- SSDEEP
  
  98304:UlQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxA:QQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRF
Score

10^/10

aurora shurk infostealer stealer evasion persistence
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- Shurk
  Shurk is an infostealer, written in C++ which appeared in 2021.
  infostealer shurk
- Shurk Stealer payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Service Stop

Tasks

static1

behavioral1

aurorashurkinfostealerstealer

behavioral2

aurorashurkevasioninfostealerpersistencestealer

© 2018-2024

Terms | Privacy