General
-
Target
AuroraX.zip
-
Size
12.3MB
-
Sample
240418-we3chsag39
-
MD5
e850403521c6072187a7712d767d74d6
-
SHA1
22ca0e8468328c093cbd50e362831ad97e86da9c
-
SHA256
22dd3a37795cb305f8aa1d894b832343549cf104cf498628c3a7d55e6ffa5812
-
SHA512
44eb7b29c9793a0b9d30d0d65fa47989a8c0421b23d252e5c493613c8a2139e3764cd13504d5d008793a0ea3d498ee81f23f59d7db31244821c2d7cfb92f4d35
-
SSDEEP
196608:q/I5zY0znpdXcNaWUg9aUIU7OVHi1/dyNMUxJw1KDtfZNNoPPo:kFopdmYg9IOYHi1VeMUxJbBffqPQ
Malware Config
Extracted
risepro
45.15.156.142:50500
Targets
-
-
Target
AuroraX/AURORA V1.exe
-
Size
287.0MB
-
MD5
b69b8bbe558142582d2877ad31457857
-
SHA1
31332c0162acd3da9b53cd5738b3589777ae0fe6
-
SHA256
d18f26391a2fdd397d1744e999ebed2abf76890afb05b37542cf1565c932a52e
-
SHA512
49f7b1bad517516b8255ee490755ab3e8497ae458f45617e3131ef5ed0eb7026291aa024c63b55a6a59b0c4d0ce1cfc89a726e42b72380012eca3af95c45d6ef
-
SSDEEP
24576:WbSqndca7b4b9Be8R00phMRBuTpFNc/GreAVmYq3/Dqaol2afRZ6K0/lPjDPlr9:M5bb4BrRdIi0We1Ydak2apyNPX
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-