aurora | 520044b6e34ca534c0a4d97abd318a8db37169f18f8c1e385f3d5b79df9d025d | Triage

Submit
Reports

Overview

overview

Static

static

1fd972fa7b...e7.exe

windows7-x64

1fd972fa7b...e7.exe

windows10-2004-x64

Sharing

General

Target

1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
Size

25.6MB
Sample

230720-j1jq3sdf84
MD5

1fd972fa7b5d9b8b1457dd025aa1ffe7
SHA1

2879d38e0b6fe1b930fafbe6415b641b5efc68e4
SHA256

520044b6e34ca534c0a4d97abd318a8db37169f18f8c1e385f3d5b79df9d025d
SHA512

9f5869d6e6ae67559f5a82d0841307ac1b6d09946c5ba963964d6a01e1c9aa17a229bfe30ec67e72c7f514e21c585c8ad1369bb6100d1aa16de3f829e7f527e1
SSDEEP

98304:ylQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxI:uQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRp

Score

10^/10

aurora redline shurk lxix discovery infostealer spyware stealer

Static task

static1

redline shurk aurora

6 signatures

Behavioral task

behavioral1

Sample

1fd972fa7b5d9b8b1457dd025aa1ffe7.exe

Resource

win7-20230712-en

aurora redline shurk lxix discovery infostealer spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

1fd972fa7b5d9b8b1457dd025aa1ffe7.exe

Resource

win10v2004-20230703-en

aurora redline shurk lxix discovery infostealer spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

LXIX

C2

5.35.33.167:17154

Attributes

auth_value
3f30d9c8480a0830cfcc9a091fac5fca

Targets

- Target
  
  1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
- Size
  
  25.6MB
- MD5
  
  1fd972fa7b5d9b8b1457dd025aa1ffe7
- SHA1
  
  2879d38e0b6fe1b930fafbe6415b641b5efc68e4
- SHA256
  
  520044b6e34ca534c0a4d97abd318a8db37169f18f8c1e385f3d5b79df9d025d
- SHA512
  
  9f5869d6e6ae67559f5a82d0841307ac1b6d09946c5ba963964d6a01e1c9aa17a229bfe30ec67e72c7f514e21c585c8ad1369bb6100d1aa16de3f829e7f527e1
- SSDEEP
  
  98304:ylQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxI:uQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRp
Score

10^/10

aurora redline shurk lxix discovery infostealer spyware stealer
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Shurk
  Shurk is an infostealer, written in C++ which appeared in 2021.
  infostealer shurk
- Shurk Stealer payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

redlineshurkaurora

behavioral1

auroraredlineshurklxixdiscoveryinfostealerspywarestealer

behavioral2

auroraredlineshurklxixdiscoveryinfostealerspywarestealer

© 2018-2024

Terms | Privacy