Overview

overview

10

Static

static

9

Aur0 Expl0...ra.exe

windows7-x64

10

Aur0 Expl0...ra.exe

windows10-2004-x64

10

$TEMP/Tgp.exe

windows7-x64

$TEMP/Tgp.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Aur0 Expl0oit.zip

  • Size

    10.5MB

  • Sample

    240328-m926kaba51

  • MD5

    4a87b10c7b5524724d44d2f8585f97f0

  • SHA1

    62c8fe0ab21dc0a12e5f05bbafbcf1fc33e69a60

  • SHA256

    2a1106628a2a9144da6a14c8cbb8e8c4168822948bcf1e3a2e4018255bfa3f13

  • SHA512

    e06345fa2cc83d9606c1c86c9477dbb08a5a29d07ac2745f8f3d81a23a6ab4fc11085cdcc154a9980889578a507120d33f0e845aec1f7f683aeaa475adc835be

  • SSDEEP

    196608:B/pZGdnwk+Y53DIo5+QVpkephRQdgsk+tdzZ393626yRwcZ93MwadRZS:NXGF5+YZDIow0pZRQdDdtd33f8gmZdO

Score
10/10
riseprocryptonepackerspywarestealer

Malware Config

Targets

    • Target

      Aur0 Expl0oit/Exec Avr0ra.exe

    • Size

      287.0MB

    • MD5

      82d5fe539bf5f8cc329856f317aeeabc

    • SHA1

      996c2d764a476747c75d5746dbebb48fbbd51293

    • SHA256

      e693351836405e775a4dd49eaa00127800e8c09065305a960a7cc860cb569882

    • SHA512

      f858ddfa22999936b7160047f48d3e26e523493b08eea48c5457114803e65d99b323e9109ccc23de49ea8897fbe91ff9bc466c805cb8e904f149e04f044abfb3

    • SSDEEP

      49152:7nV6rsrSJRbXdYXWHbWMijWpQRTPOxiaB:7ysOJRbXdgWHFSOxi

    Score
    10/10
    riseprostealerspyware

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $TEMP/Tgp

    • Size

      189KB

    • MD5

      0bbd8453272bfbb873fb69f3308d4bc1

    • SHA1

      ba24b397c30e608234be888640bde34fce8f6120

    • SHA256

      483cb6a8e2a98c9ff10ca18ca8f757340c381b4d6fffd6e86e0d1e9b08aaf131

    • SHA512

      3ef2975a733645855137be9168e2dabbfc376d27abad78871b0426da458d34072d7db91c438727002f9cccc07c2f55e3a06b3807f04dc0c4159b0eb9730b475b

    • SSDEEP

      3072:1Zg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgF4qv+F:1K5vPeDkjGgQaE/loUDtf0accB3gBmF

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks