aurora | 520044b6e34ca534c0a4d97abd318a8db37169f18f8c1e385f3d5b79df9d025d

General

Target

1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
Size

25.6MB
MD5

1fd972fa7b5d9b8b1457dd025aa1ffe7
SHA1

2879d38e0b6fe1b930fafbe6415b641b5efc68e4
SHA256

520044b6e34ca534c0a4d97abd318a8db37169f18f8c1e385f3d5b79df9d025d
SHA512

9f5869d6e6ae67559f5a82d0841307ac1b6d09946c5ba963964d6a01e1c9aa17a229bfe30ec67e72c7f514e21c585c8ad1369bb6100d1aa16de3f829e7f527e1
SSDEEP

98304:ylQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxI:uQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRp

Score

10^/10

aurora redline shurk lxix discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

LXIX

C2

5.35.33.167:17154

Attributes

auth_value
3f30d9c8480a0830cfcc9a091fac5fca

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1712-67-0x0000000000400000-0x0000000001DAA000-memory.dmp	family_redline

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012022-56.dat	shurk_stealer
behavioral1/files/0x0008000000012022-61.dat	shurk_stealer
behavioral1/files/0x0008000000012022-60.dat	shurk_stealer
behavioral1/files/0x0008000000012022-57.dat	shurk_stealer
behavioral1/files/0x0008000000012022-70.dat	shurk_stealer
behavioral1/memory/1712-67-0x0000000000400000-0x0000000001DAA000-memory.dmp	shurk_stealer
behavioral1/memory/1276-71-0x000000013F660000-0x0000000140F6B000-memory.dmp	shurk_stealer

Executes dropped EXE 2 IoCs

pid	Process
1276	Aurora.exe
2824	LXIX.exe

Loads dropped DLL 4 IoCs

pid	Process
1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
2516	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Aurora.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Aurora.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2824	LXIX.exe
2824	LXIX.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	LXIX.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1276	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	28
PID 1712 wrote to memory of 1276	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	28
PID 1712 wrote to memory of 1276	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	28
PID 1712 wrote to memory of 1276	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	28
PID 1712 wrote to memory of 2824	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	29
PID 1712 wrote to memory of 2824	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	29
PID 1712 wrote to memory of 2824	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	29
PID 1712 wrote to memory of 2824	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	29

C:\Users\Admin\AppData\Local\Temp\1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
"C:\Users\Admin\AppData\Local\Temp\1fd972fa7b5d9b8b1457dd025aa1ffe7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\Aurora.exe
  "C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1276
- C:\Users\Admin\AppData\Local\Temp\LXIX.exe
  "C:\Users\Admin\AppData\Local\Temp\LXIX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aurora.exe

Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora.exe

Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe

Filesize
201KB

MD5
e25ed1abec99ab85498dbe0ac648875b

SHA1
739af601d9eaccae5bdc7c314d30de324f1a342b

SHA256
977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

SHA512
4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe

Filesize
201KB

MD5
e25ed1abec99ab85498dbe0ac648875b

SHA1
739af601d9eaccae5bdc7c314d30de324f1a342b

SHA256
977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

SHA512
4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

Download Submit
\Users\Admin\AppData\Local\Temp\Aurora.exe

Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
\Users\Admin\AppData\Local\Temp\Aurora.exe

Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
\Users\Admin\AppData\Local\Temp\Aurora.exe

Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
\Users\Admin\AppData\Local\Temp\LXIX.exe

Filesize
201KB

MD5
e25ed1abec99ab85498dbe0ac648875b

SHA1
739af601d9eaccae5bdc7c314d30de324f1a342b

SHA256
977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

SHA512
4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

Download Submit
memory/1276-71-0x000000013F660000-0x0000000140F6B000-memory.dmp

Filesize
25.0MB

Download
memory/1712-67-0x0000000000400000-0x0000000001DAA000-memory.dmp

Filesize
25.7MB

Download
memory/2824-72-0x0000000000980000-0x00000000009B8000-memory.dmp

Filesize
224KB

Download
memory/2824-73-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-74-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2824-75-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-76-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/2824-77-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing