General
-
Target
Aurora.exe
-
Size
25.5MB
-
Sample
230501-t47bnadf25
-
MD5
5b5049eee909a12420356f785890ee12
-
SHA1
2458920623ab942e1f564cb09ae25fb02b6b76a0
-
SHA256
4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0
-
SHA512
5c7fecb1d55baa008ee4fa90a08c0a1dbbcb2635082a6df51bdacf6fde9fe878f36769fd8099f5a0c371b3e60e5d4ff8e4097bf38346f7167d0a13c9bcdc310c
-
SSDEEP
98304:UlQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxA:QQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRF
Behavioral task
behavioral1
Sample
Aurora.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Aurora.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
https://pastebin.com/raw/tPAFrSUD
Targets
-
-
Target
Aurora.exe
-
Size
25.5MB
-
MD5
5b5049eee909a12420356f785890ee12
-
SHA1
2458920623ab942e1f564cb09ae25fb02b6b76a0
-
SHA256
4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0
-
SHA512
5c7fecb1d55baa008ee4fa90a08c0a1dbbcb2635082a6df51bdacf6fde9fe878f36769fd8099f5a0c371b3e60e5d4ff8e4097bf38346f7167d0a13c9bcdc310c
-
SSDEEP
98304:UlQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxA:QQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRF
Score10/10-
Shurk Stealer payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-