c99b8820a1c79f85af87bb753224f2cb62815a211666e36a336841f738184e2d | Triage

Submit
Reports

Overview

overview

Static

static

9

Aur0raV1/AUR0RA.exe

windows10-1703-x64

Sharing

General

Target

by RyosXpl0its [Goddy's].zip
Size

9.0MB
Sample

240404-wsjsbsfa76
MD5

5ea29c176dab93a64eef19cc9df2819b
SHA1

4c508d88b1e3cc6f30df5d8c6b60175295b2cb17
SHA256

c99b8820a1c79f85af87bb753224f2cb62815a211666e36a336841f738184e2d
SHA512

431ad834e7ef22787a3616e3f53158e0a83ccc6fcbc8a85c4bdf9d0a7d0827cf58c6d3662b5a62c307a0096d1a5313d59d3ae5da50600626d4320152ed04fe18
SSDEEP

196608:BvEKPFCZPaQhk0n5+ubB9joAExRMIFpHHSbw+fX:qKPcZa4k05BB9jopPjFpnUX

Score

10^/10

collection cryptone discovery packer spyware stealer

Static task

static1

cryptone packer

1 signatures

Behavioral task

behavioral1

Sample

Aur0raV1/AUR0RA.exe

Resource

win10-20240404-en

collection discovery spyware stealer

windows10-1703-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  Aur0raV1/AUR0RA.exe
- Size
  
  1.6MB
- MD5
  
  6836af5b9e36906f4505e246e2b299c3
- SHA1
  
  5bff2b67cdd417c0c678e1437dc6887654ccf766
- SHA256
  
  7acdbf629d2f584be945417534dac0d0f4f3d75ae3f0c6d29df5031dffb8692e
- SHA512
  
  e77806f171a87e79c4760d13b91ba5b1a7da700ab3e58859e710c986f1eab070abfabf31e709ec696219609528f0d713c820f1927b7693be9340dc358d512ab8
- SSDEEP
  
  49152:/8hEcYjZEcQO8uGZY/r8h17D/eCTHziY32:/KEv1/WJGCjz8
Score

10^/10

collection discovery spyware stealer
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Process Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

collectiondiscoveryspywarestealer

© 2018-2024

Terms | Privacy