Overview

overview

10

Static

static

9

A u r о r a X.rar

windows11-21h2-x64

10

A u r о r... X.exe

windows11-21h2-x64

10

$TEMP/Beat

windows11-21h2-x64

1

$TEMP/Hurricane

windows11-21h2-x64

1

$TEMP/Impact

windows11-21h2-x64

1

$TEMP/Prevention

windows11-21h2-x64

1

$TEMP/Ray

windows11-21h2-x64

1

$TEMP/Smoke

windows11-21h2-x64

$TEMP/Summary

windows11-21h2-x64

1

$TEMP/Turtle

windows11-21h2-x64

1

$TEMP/Tv

windows11-21h2-x64

1

A u r о r...ts.dll

windows11-21h2-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    A u r о r a X.rar

  • Size

    8.1MB

  • Sample

    240314-2pgfpahe5y

  • MD5

    6847de14c6e1457fc14fe029e2b1f490

  • SHA1

    97d0f4c6c0431982d1555f1fb759c8b81853b13d

  • SHA256

    09390304176d930c2ff463be7537b7134c74a39ddd13030642d0cb4956cc6d15

  • SHA512

    aa4a723b2df6f752588c7d21d1a657a61bea6a0823cfb8d7e7341b7a1c802b98773b01bedecfe2c94224957e9424a563bebc975ac6fede2dc2bff425dda5f423

  • SSDEEP

    196608:UjN/pzpHYy3Fvo6G6Qypd+DlJa+seheTjkuPDEjVGCDXzG8SuMRTgf8iQ:UBRzp4iA6DQypdaXcTjb7kGC5RUUf83

Score
10/10
redlinecryptonediscoveryinfostealerpackerspywarestealer

Malware Config

Targets

    • Target

      A u r о r a X.rar

    • Size

      8.1MB

    • MD5

      6847de14c6e1457fc14fe029e2b1f490

    • SHA1

      97d0f4c6c0431982d1555f1fb759c8b81853b13d

    • SHA256

      09390304176d930c2ff463be7537b7134c74a39ddd13030642d0cb4956cc6d15

    • SHA512

      aa4a723b2df6f752588c7d21d1a657a61bea6a0823cfb8d7e7341b7a1c802b98773b01bedecfe2c94224957e9424a563bebc975ac6fede2dc2bff425dda5f423

    • SSDEEP

      196608:UjN/pzpHYy3Fvo6G6Qypd+DlJa+seheTjkuPDEjVGCDXzG8SuMRTgf8iQ:UBRzp4iA6DQypdaXcTjb7kGC5RUUf83

    Score
    10/10
    redlinediscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1

    • Target

      A u r о r a X/A u r о r a X.exe

    • Size

      715KB

    • MD5

      f476fc8e39528472df2b1ab6c5a469e2

    • SHA1

      4d2e57a77b87b99ddcc5369d5fe98e5bac6856f4

    • SHA256

      b245a9e880b92b5525233c4a8cdb8e4d1cda15c7e1a4a6ca7ee99d97cf51488a

    • SHA512

      88c800a78f4ee407afd88ef8ef1e82b4b1217af6e3631edb6b7c6d99364c49417036634204f5f197ef0b8111637468e6cbecc3c2ef2c9d490e89d0a9ada7cce7

    • SSDEEP

      12288:YNDg1jvzGKeIa4lux1aDtHQxkWJyhKjaUyXBjMCe/0k0QQKjIL6:YNqvGSa4lL1Qai3ydm/0jwIL6

    Score
    10/10
    redlinediscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral2

    • Target

      $TEMP/Beat

    • Size

      286KB

    • MD5

      032357703b5ce3baf1c1c8e2cfbecd53

    • SHA1

      d2fd7b21dde1ffe42c541c7077a04f5b7c0a05ea

    • SHA256

      735cda19d881ee2c28101d09414cfb873ba17587f77a7fac24125da18e4afebe

    • SHA512

      2476fe332260ddff35d27c6fc29d150510c9828f79b27933854b4282653c2956807072fe99dcbe8fa9c5aedda1e6a219887d2427bc0eaf9f1837fcdb2d9f6299

    • SSDEEP

      3072:M2xBRARtUvlTV++r8LXBXK4o5LNb8bwjrkITBkO0yE4o50MHRV+mMGkhwwCa4o5T:f8LXBXo8bwjrvXx9wlI4H4Z

    Score
    1/10
    behavioral3

    • Target

      $TEMP/Hurricane

    • Size

      174KB

    • MD5

      35bafb2670374b40e7565d2375a0398e

    • SHA1

      408588981f40afd9b9cde22b1730a9b0b6c786da

    • SHA256

      589b656a6b34233fb305bc1be6bcdedb821f9efbbd2dd2089e1a93196b0daa19

    • SHA512

      11d868d3ba9a7156d12d1794951ded13d3cab7e93aa46e8fa73df2bcfdf820c75b8f4c2e0b90a1aae871cef591b245279db88314cabc4b8f3ad11198f248a27f

    • SSDEEP

      3072:JWD0zHWcyfHEu3vykQoJs6te5yUZGpYHm4olZK4o5+LIS:sQzEvb/XJDe5yUF/iZB

    Score
    1/10
    behavioral4

    • Target

      $TEMP/Impact

    • Size

      109KB

    • MD5

      cb653da94140e5c70e9c86e7fbda1d29

    • SHA1

      36c4a6955ac0b7fa890b65c66b5f3f14087dc978

    • SHA256

      ccf96df9859615a179ae7b975b0130ff28ff869b1289c0cd963ed2236638708b

    • SHA512

      6f35ff9fd752d077d92c66ad147ea3c449e9dc60a2cf762da5991b8f25afafa130af6ae0395c0777af94b54079a6a1dbeba744c475e0b7e72704d42216d86877

    • SSDEEP

      1536:Sixl2vqWWGlHHvpKa5Gk6/vij4Ng/Pp5q/qw0j8sgyZpQ4VMEPmfP/b/psgrO4ab:SixApVIa0/vidXqGjLPQ6ClAT

    Score
    1/10
    behavioral5

    • Target

      $TEMP/Prevention

    • Size

      56KB

    • MD5

      81d88021025188b208e3e5bee870a35f

    • SHA1

      167d2b860097a9baccd09ed41e8c922065c42ba9

    • SHA256

      0df0214c701b1ee01d73b37174835c06674e3e509a31d26e2cb8b4ad78286314

    • SHA512

      80b2b1c7ca92af39bd4633ed8cb86d13257e24c0750d841cc5169f331a9b77b263b68c62cd99a2c198fd07d3ef70ab3385749e42defe9a6e25c5cc98b338b7ce

    • SSDEEP

      768:bye4Ur2+9BSCVoyO15DuOKHnrxbxZiUCu2iPaLTQ7Q1tCwqVLwQVn8qT4O:Oo2+9BBVgCOa1ZBPaPQaEwo0yv

    Score
    1/10
    behavioral6

    • Target

      $TEMP/Ray

    • Size

      233KB

    • MD5

      8f5dc8c2edd6d31892833f02c91e06d8

    • SHA1

      3aa7a22e9c2b9ef55f6ab8fdbd871d905e693e81

    • SHA256

      177c7d6763739c7bd54cd62270a1a9e28560a1ec0dc3bc1d88ecd1d6e4a9e15f

    • SHA512

      c4e7feedad4d22356fd8aea8ae593ce40dd28e540cdb5162d1c0f8300bfaa22a05202cb91eb3eb4f37724008b3d9df966e58dbea0d76e66c0e5de8410a2a3daa

    • SSDEEP

      6144:ofA+eyVPlcBgtoTqnvAfcaG9b2M8JTDD/xcq21Ra:2zlcqikvAfcN9b2MyZa3a

    Score
    1/10
    behavioral7

    • Target

      $TEMP/Smoke

    • Size

      266KB

    • MD5

      cecbfa5f9956a5c0e60933b58288c280

    • SHA1

      715c43aae2eed1836e459bff9717ab97494704d8

    • SHA256

      bd6a32bb4829a271c4ae9f7c6dbffd920cb22865ed3bf356eddd9df596d99f7d

    • SHA512

      95dbba9961dd8411acafc04b2393f968d4544a5171a632632c0f114813f71498ff9033ba45f4b7c34afd4c6208f1349606b7548b1e125d8b38f77e508927ff7e

    • SSDEEP

      3072:Fat0g/bZaUAg0FuPOKBNEBNUGXEyaAt7P+6i/xhgariwYLTNaWy42:kp/rAOPOei7TdFW6wgarnYNhB2

    Score
    1/10
    behavioral8

    • Target

      $TEMP/Summary

    • Size

      208KB

    • MD5

      c4b889b1379e2b3eeb956553b719b22a

    • SHA1

      678cd18741c398010aec9f59233d472644d0079f

    • SHA256

      c7a139b90d5d6c0a25d636b76fc32ebeeb06c426595063c925c383cf4bb6445d

    • SHA512

      2611b3b3ff0a0198e08375ac5614427c8e97e796b3e677430f13fb0993645fc80ba610f9e68c6418d6d859349af84372fe000ae26bf2e0ec605880d03c61a86c

    • SSDEEP

      3072:sCV26MqgQTc5F446iYNpK5SB7BJBzLZDKJtIs8di/37EM/j2xQj:si2VWTyFsJ8gNJBnGtINsj

    Score
    1/10
    behavioral9

    • Target

      $TEMP/Turtle

    • Size

      261KB

    • MD5

      7a6ca99cafcf2598d131d5d3e9d5cf65

    • SHA1

      360e087c9ba4a2cbb9ceec9401bc4d784430bc95

    • SHA256

      ef13ed4da127b37926ae39c90b1538facc29468d9a92be8d5c23f8e2042bf492

    • SHA512

      7c43b2d52fe70bf7608cb695bb68adde625daab0098b303382f0d66e05016b3c26cb9a717e82425c9744bbb3f8dfa79834554ca20e008d0b1af02fed4f0aded3

    • SSDEEP

      3072:r1GOezR+VLm84o5z94o5xkcWEa33R/IB6bsMN1y0l9feocsxAXXCgR5xREv:on3R/IBEsMN1y0zffInCekv

    Score
    1/10
    behavioral10

    • Target

      $TEMP/Tv

    • Size

      15KB

    • MD5

      b679ce0e773bb53d98bcca4938135ecf

    • SHA1

      b9607174cdc497bc424ed70402ac217f765244b0

    • SHA256

      9b032e9f6b36d85aed8ae30c2f1212096cc0fb48ca65f13ef11cee6ecf295839

    • SHA512

      c8492ad5a312108d266ea043461ffb8664b7a46dec83c270c924b7618215f7b2a882b1ab6d0223d6296b5105022b5659ff75837626b3fdd032caa93d1b21f4b2

    • SSDEEP

      384:cuGMSYx33To/63pawlGZ+C1WoGu5IIvInN7oB+2wok4ejIvIA8i7oB+2bdmVoGu4:ceRTo/6ptABWoGNIvyoGok44Ivp8iohO

    Score
    1/10
    behavioral11

    • Target

      A u r о r a X/scripts/scripts.dll

    • Size

      18.7MB

    • MD5

      88fd7dbf04bcf75123d02009aea3f7f7

    • SHA1

      cecf16bdad71e54afc941179ea2b7438a04efa1d

    • SHA256

      01481b9a862936fbc090bda4033f22d7ffa5a7bfe5dc32f47c7794332b34eec4

    • SHA512

      2c6298b5adf91b51f0042d48e0846f5b196d52a588fd4fc577bf19ec26ad8e547382279a15f8bf131b08b0d7c140534aff25f82d5e8998818b812e72c9493917

    • SSDEEP

      393216:hqA/D2IIyzg8DolBo6i0KoI6Di42sC1/syU3DXNs6hq8:hqcaZyV0fC1JOpjhq8

    Score
    1/10
    behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Process Discovery

2
T1057

Remote System Discovery

2
T1018

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks