aurora | 520044b6e34ca534c0a4d97abd318a8db37169f18f8c1e385f3d5b79df9d025d

General

Target

1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
Size

25.6MB
MD5

1fd972fa7b5d9b8b1457dd025aa1ffe7
SHA1

2879d38e0b6fe1b930fafbe6415b641b5efc68e4
SHA256

520044b6e34ca534c0a4d97abd318a8db37169f18f8c1e385f3d5b79df9d025d
SHA512

9f5869d6e6ae67559f5a82d0841307ac1b6d09946c5ba963964d6a01e1c9aa17a229bfe30ec67e72c7f514e21c585c8ad1369bb6100d1aa16de3f829e7f527e1
SSDEEP

98304:ylQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxI:uQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRp

Score

10^/10

aurora redline shurk lxix discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

LXIX

C2

5.35.33.167:17154

Attributes

auth_value
3f30d9c8480a0830cfcc9a091fac5fca

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1712-67-0x0000000000400000-0x0000000001DAA000-memory.dmp	family_redline

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Aurora.exe	shurk_stealer
C:\Users\Admin\AppData\Local\Temp\Aurora.exe	shurk_stealer
C:\Users\Admin\AppData\Local\Temp\Aurora.exe	shurk_stealer
\Users\Admin\AppData\Local\Temp\Aurora.exe	shurk_stealer
\Users\Admin\AppData\Local\Temp\Aurora.exe	shurk_stealer
behavioral1/memory/1712-67-0x0000000000400000-0x0000000001DAA000-memory.dmp	shurk_stealer
behavioral1/memory/1276-71-0x000000013F660000-0x0000000140F6B000-memory.dmp	shurk_stealer

Executes dropped EXE 2 IoCs

Processes:

Aurora.exeLXIX.exe

pid process

1276 Aurora.exe
2824 LXIX.exe
Loads dropped DLL 4 IoCs

Processes:

1fd972fa7b5d9b8b1457dd025aa1ffe7.exe

pid process

1712 1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
1712 1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
1712 1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
2516
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1276	Aurora.exe
2824	LXIX.exe

pid	process
1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
2516

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Aurora.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Aurora.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Aurora.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

LXIX.exe

pid process

2824 LXIX.exe
2824 LXIX.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

LXIX.exe

description pid process

Token: SeDebugPrivilege 2824 LXIX.exe

pid	process
2824	LXIX.exe
2824	LXIX.exe

description	pid	process
Token: SeDebugPrivilege	2824	LXIX.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1fd972fa7b5d9b8b1457dd025aa1ffe7.exe

description	pid	process	target process
PID 1712 wrote to memory of 1276	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	Aurora.exe
PID 1712 wrote to memory of 1276	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	Aurora.exe
PID 1712 wrote to memory of 1276	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	Aurora.exe
PID 1712 wrote to memory of 1276	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	Aurora.exe
PID 1712 wrote to memory of 2824	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	LXIX.exe
PID 1712 wrote to memory of 2824	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	LXIX.exe
PID 1712 wrote to memory of 2824	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	LXIX.exe
PID 1712 wrote to memory of 2824	1712	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	LXIX.exe

C:\Users\Admin\AppData\Local\Temp\1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
"C:\Users\Admin\AppData\Local\Temp\1fd972fa7b5d9b8b1457dd025aa1ffe7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1276

C:\Users\Admin\AppData\Local\Temp\LXIX.exe
"C:\Users\Admin\AppData\Local\Temp\LXIX.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aurora.exe
Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora.exe
Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
201KB

MD5
e25ed1abec99ab85498dbe0ac648875b

SHA1
739af601d9eaccae5bdc7c314d30de324f1a342b

SHA256
977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

SHA512
4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
201KB

MD5
e25ed1abec99ab85498dbe0ac648875b

SHA1
739af601d9eaccae5bdc7c314d30de324f1a342b

SHA256
977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

SHA512
4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

Download Submit
\Users\Admin\AppData\Local\Temp\Aurora.exe
Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
\Users\Admin\AppData\Local\Temp\Aurora.exe
Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
\Users\Admin\AppData\Local\Temp\Aurora.exe
Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
201KB

MD5
e25ed1abec99ab85498dbe0ac648875b

SHA1
739af601d9eaccae5bdc7c314d30de324f1a342b

SHA256
977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

SHA512
4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

Download Submit
memory/1276-71-0x000000013F660000-0x0000000140F6B000-memory.dmp

Filesize
25.0MB

Download
memory/1712-67-0x0000000000400000-0x0000000001DAA000-memory.dmp

Filesize
25.7MB

Download
memory/2824-72-0x0000000000980000-0x00000000009B8000-memory.dmp

Filesize
224KB

Download
memory/2824-73-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-74-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2824-75-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-76-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/2824-77-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads