aurora | 520044b6e34ca534c0a4d97abd318a8db37169f18f8c1e385f3d5b79df9d025d

General

Target

1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
Size

25.6MB
MD5

1fd972fa7b5d9b8b1457dd025aa1ffe7
SHA1

2879d38e0b6fe1b930fafbe6415b641b5efc68e4
SHA256

520044b6e34ca534c0a4d97abd318a8db37169f18f8c1e385f3d5b79df9d025d
SHA512

9f5869d6e6ae67559f5a82d0841307ac1b6d09946c5ba963964d6a01e1c9aa17a229bfe30ec67e72c7f514e21c585c8ad1369bb6100d1aa16de3f829e7f527e1
SSDEEP

98304:ylQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxI:uQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRp

Score

10^/10

aurora redline shurk lxix discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

LXIX

C2

5.35.33.167:17154

Attributes

auth_value
3f30d9c8480a0830cfcc9a091fac5fca

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4692-152-0x0000000000400000-0x0000000001DAA000-memory.dmp	family_redline

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023281-137.dat	shurk_stealer
behavioral2/files/0x0007000000023281-140.dat	shurk_stealer
behavioral2/files/0x0007000000023281-151.dat	shurk_stealer
behavioral2/memory/4692-152-0x0000000000400000-0x0000000001DAA000-memory.dmp	shurk_stealer
behavioral2/memory/2796-156-0x00007FF6F2A60000-0x00007FF6F436B000-memory.dmp	shurk_stealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	Aurora.exe
1288	LXIX.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1288	LXIX.exe
1288	LXIX.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	LXIX.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 2796	4692	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	87
PID 4692 wrote to memory of 2796	4692	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	87
PID 4692 wrote to memory of 1288	4692	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	89
PID 4692 wrote to memory of 1288	4692	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	89
PID 4692 wrote to memory of 1288	4692	1fd972fa7b5d9b8b1457dd025aa1ffe7.exe	89

C:\Users\Admin\AppData\Local\Temp\1fd972fa7b5d9b8b1457dd025aa1ffe7.exe
"C:\Users\Admin\AppData\Local\Temp\1fd972fa7b5d9b8b1457dd025aa1ffe7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\Aurora.exe
  "C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\LXIX.exe
  "C:\Users\Admin\AppData\Local\Temp\LXIX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aurora.exe

Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora.exe

Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora.exe

Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe

Filesize
201KB

MD5
e25ed1abec99ab85498dbe0ac648875b

SHA1
739af601d9eaccae5bdc7c314d30de324f1a342b

SHA256
977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

SHA512
4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe

Filesize
201KB

MD5
e25ed1abec99ab85498dbe0ac648875b

SHA1
739af601d9eaccae5bdc7c314d30de324f1a342b

SHA256
977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

SHA512
4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe

Filesize
201KB

MD5
e25ed1abec99ab85498dbe0ac648875b

SHA1
739af601d9eaccae5bdc7c314d30de324f1a342b

SHA256
977536c6412d8d8e24310baf3515ff0992b3f29350587a0c8bcc1c279a849b6b

SHA512
4197d4d9248a87179055e4965a3bd543c892929378f896ef44209293b51775ba5270dd2967fe08971f4c712c2d735cbba9beee972ac0127247f1efdf2e88e6f3

Download Submit
memory/1288-159-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1288-161-0x00000000051B0000-0x0000000005226000-memory.dmp

Filesize
472KB

Download
memory/1288-154-0x0000000073B90000-0x0000000074340000-memory.dmp

Filesize
7.7MB

Download
memory/1288-155-0x0000000005410000-0x0000000005A28000-memory.dmp

Filesize
6.1MB

Download
memory/1288-157-0x0000000004F00000-0x000000000500A000-memory.dmp

Filesize
1.0MB

Download
memory/1288-158-0x0000000004E40000-0x0000000004E52000-memory.dmp

Filesize
72KB

Download
memory/1288-153-0x00000000004B0000-0x00000000004E8000-memory.dmp

Filesize
224KB

Download
memory/1288-171-0x0000000073B90000-0x0000000074340000-memory.dmp

Filesize
7.7MB

Download
memory/1288-160-0x0000000004EA0000-0x0000000004EDC000-memory.dmp

Filesize
240KB

Download
memory/1288-169-0x0000000006530000-0x0000000006580000-memory.dmp

Filesize
320KB

Download
memory/1288-162-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/1288-163-0x0000000073B90000-0x0000000074340000-memory.dmp

Filesize
7.7MB

Download
memory/1288-164-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/1288-165-0x00000000065D0000-0x0000000006B74000-memory.dmp

Filesize
5.6MB

Download
memory/1288-166-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1288-167-0x0000000006D50000-0x0000000006F12000-memory.dmp

Filesize
1.8MB

Download
memory/1288-168-0x00000000076A0000-0x0000000007BCC000-memory.dmp

Filesize
5.2MB

Download
memory/2796-156-0x00007FF6F2A60000-0x00007FF6F436B000-memory.dmp

Filesize
25.0MB

Download
memory/4692-152-0x0000000000400000-0x0000000001DAA000-memory.dmp

Filesize
25.7MB

Download

Analysis

Sharing