General
-
Target
by RyosXpl0its [Goddys].zip
-
Size
9.0MB
-
Sample
240405-mdjz4saa39
-
MD5
5ea29c176dab93a64eef19cc9df2819b
-
SHA1
4c508d88b1e3cc6f30df5d8c6b60175295b2cb17
-
SHA256
c99b8820a1c79f85af87bb753224f2cb62815a211666e36a336841f738184e2d
-
SHA512
431ad834e7ef22787a3616e3f53158e0a83ccc6fcbc8a85c4bdf9d0a7d0827cf58c6d3662b5a62c307a0096d1a5313d59d3ae5da50600626d4320152ed04fe18
-
SSDEEP
196608:BvEKPFCZPaQhk0n5+ubB9joAExRMIFpHHSbw+fX:qKPcZa4k05BB9jopPjFpnUX
Behavioral task
behavioral1
Sample
Aur0raV1/AUR0RA.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Aur0raV1/AUR0RA.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$INTERNET_CACHE/Divisions.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$INTERNET_CACHE/Divisions.ps1
Resource
win10v2004-20240319-en
Behavioral task
behavioral5
Sample
Aur0raV1/scripts/scripts.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Aur0raV1/scripts/scripts.dll
Resource
win10v2004-20240226-en
Malware Config
Targets
-
-
Target
Aur0raV1/AUR0RA.exe
-
Size
1.6MB
-
MD5
6836af5b9e36906f4505e246e2b299c3
-
SHA1
5bff2b67cdd417c0c678e1437dc6887654ccf766
-
SHA256
7acdbf629d2f584be945417534dac0d0f4f3d75ae3f0c6d29df5031dffb8692e
-
SHA512
e77806f171a87e79c4760d13b91ba5b1a7da700ab3e58859e710c986f1eab070abfabf31e709ec696219609528f0d713c820f1927b7693be9340dc358d512ab8
-
SSDEEP
49152:/8hEcYjZEcQO8uGZY/r8h17D/eCTHziY32:/KEv1/WJGCjz8
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
$INTERNET_CACHE/Divisions
-
Size
205KB
-
MD5
6587ab2d1dcd29d04dfd96da914a7daa
-
SHA1
56542caebbc1f2c54e93ac61b09e2aed10d33602
-
SHA256
31af7aa98bf94ba8557d9df52514cac419e7caff3754686d00bf325dea5c1c67
-
SHA512
58bac4c92b41a6435962557b2e619dbaecac26f022a652b4eeeff59733adbe88fe13d62207c2dc69821da4c8490bf042a7a212b7e5d4f266ed9081118fd39f21
-
SSDEEP
3072:Mb1aCYbFP4ktmS2ZhUWWOPstQrBPstpPstRCdgRzIgir9RODO7svFbHmmZTLv+cJ:/hrbODO7DxTkBH
Score1/10 -
-
-
Target
Aur0raV1/scripts/scripts.dll
-
Size
18.7MB
-
MD5
88fd7dbf04bcf75123d02009aea3f7f7
-
SHA1
cecf16bdad71e54afc941179ea2b7438a04efa1d
-
SHA256
01481b9a862936fbc090bda4033f22d7ffa5a7bfe5dc32f47c7794332b34eec4
-
SHA512
2c6298b5adf91b51f0042d48e0846f5b196d52a588fd4fc577bf19ec26ad8e547382279a15f8bf131b08b0d7c140534aff25f82d5e8998818b812e72c9493917
-
SSDEEP
393216:hqA/D2IIyzg8DolBo6i0KoI6Di42sC1/syU3DXNs6hq8:hqcaZyV0fC1JOpjhq8
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-