Overview

overview

10

Static

static

9

AuroraX/AURORA V1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AuroraX.zip

  • Size

    12.3MB

  • Sample

    240418-we3chsag39

  • MD5

    e850403521c6072187a7712d767d74d6

  • SHA1

    22ca0e8468328c093cbd50e362831ad97e86da9c

  • SHA256

    22dd3a37795cb305f8aa1d894b832343549cf104cf498628c3a7d55e6ffa5812

  • SHA512

    44eb7b29c9793a0b9d30d0d65fa47989a8c0421b23d252e5c493613c8a2139e3764cd13504d5d008793a0ea3d498ee81f23f59d7db31244821c2d7cfb92f4d35

  • SSDEEP

    196608:q/I5zY0znpdXcNaWUg9aUIU7OVHi1/dyNMUxJw1KDtfZNNoPPo:kFopdmYg9IOYHi1VeMUxJbBffqPQ

Score
10/10
riseprocryptonepackerspywarestealer

Malware Config

Extracted

Family

risepro

C2

45.15.156.142:50500

Targets

    • Target

      AuroraX/AURORA V1.exe

    • Size

      287.0MB

    • MD5

      b69b8bbe558142582d2877ad31457857

    • SHA1

      31332c0162acd3da9b53cd5738b3589777ae0fe6

    • SHA256

      d18f26391a2fdd397d1744e999ebed2abf76890afb05b37542cf1565c932a52e

    • SHA512

      49f7b1bad517516b8255ee490755ab3e8497ae458f45617e3131ef5ed0eb7026291aa024c63b55a6a59b0c4d0ce1cfc89a726e42b72380012eca3af95c45d6ef

    • SSDEEP

      24576:WbSqndca7b4b9Be8R00phMRBuTpFNc/GreAVmYq3/Dqaol2afRZ6K0/lPjDPlr9:M5bb4BrRdIi0We1Ydak2apyNPX

    Score
    10/10
    riseprospywarestealer

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks