aurora | 27ef1ed7a6cd92d08e23da1e80f3889fbab55b504e633d914983b69c17e2e7dc

Resubmissions

29-05-2024 02:58

240529-df8ltafh4w 10

Analysis

max time kernel
6s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora.exe
Size

25.9MB
MD5

fbf3377a2792a5c659b324758e1a3424
SHA1

f6aec1d479dec9971c83f042dd641951edd4e05f
SHA256

27ef1ed7a6cd92d08e23da1e80f3889fbab55b504e633d914983b69c17e2e7dc
SHA512

67d092f5ef7c559f7b5eecb734e8b9c896a35ab354f3eb9ce98173a13b2a0ad303662267b705817028f2785530bcfecb6150e123a2ca22680b820503506c346d
SSDEEP

196608:+QPY9mgGvkHEAsdtLRVRXgFqKQbEZxRHY:6M7sHEAEtLNXgFqxbEZxK

Score

10^/10

aurora rhadamanthys shurk infostealer stealer

Malware Config

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023407-4.dat	shurk_stealer
behavioral1/memory/4392-20-0x0000000000400000-0x0000000001DEF000-memory.dmp	shurk_stealer
behavioral1/memory/3068-23-0x00007FF7258E0000-0x00007FF7271EB000-memory.dmp	shurk_stealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Aurora.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	Aurora 22.12.2022_.exe
3756	main.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3756	main.exe
3756	main.exe
4492	dialer.exe
4492	dialer.exe
4492	dialer.exe
4492	dialer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 3068	4392	Aurora.exe	85
PID 4392 wrote to memory of 3068	4392	Aurora.exe	85
PID 4392 wrote to memory of 3756	4392	Aurora.exe	87
PID 4392 wrote to memory of 3756	4392	Aurora.exe	87
PID 4392 wrote to memory of 3756	4392	Aurora.exe	87
PID 3756 wrote to memory of 4492	3756	main.exe	90
PID 3756 wrote to memory of 4492	3756	main.exe	90
PID 3756 wrote to memory of 4492	3756	main.exe	90
PID 3756 wrote to memory of 4492	3756	main.exe	90
PID 3756 wrote to memory of 4492	3756	main.exe	90

C:\Users\Admin\AppData\Local\Temp\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
  "C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\SysWOW64\dialer.exe
    "C:\Windows\system32\dialer.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe

Filesize
25.4MB

MD5
ad9aa927339dc830a38021afbe20a85f

SHA1
8017bea5f073064a27f61390ce6433cc110f55ea

SHA256
6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

SHA512
43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
479KB

MD5
eb580bc45a382527d2f1ff80c542bd9d

SHA1
0b95c965fe80c9b9d9270be74817a8771bb02daa

SHA256
99bd6ee7da4edad447fba55a6b11538927013586ef617e70a0ff4765adae22db

SHA512
a3f4563d4ee61a0bdc612c849f13711af961514cbe3ce48ab9af0b905c8df278f470e902bc50b64d95055f2bd69fd288bba1dd0405caf9e4a42585cdf6b3e23c

Download Submit
memory/3068-23-0x00007FF7258E0000-0x00007FF7271EB000-memory.dmp

Filesize
25.0MB

Download
memory/3756-25-0x0000000003260000-0x0000000003660000-memory.dmp

Filesize
4.0MB

Download
memory/3756-24-0x0000000003260000-0x0000000003660000-memory.dmp

Filesize
4.0MB

Download
memory/3756-27-0x00007FFFF24D0000-0x00007FFFF26C5000-memory.dmp

Filesize
2.0MB

Download
memory/3756-30-0x0000000077060000-0x0000000077275000-memory.dmp

Filesize
2.1MB

Download
memory/3756-33-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3756-28-0x0000000003260000-0x0000000003660000-memory.dmp

Filesize
4.0MB

Download
memory/3756-26-0x0000000003260000-0x0000000003660000-memory.dmp

Filesize
4.0MB

Download
memory/3756-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4392-20-0x0000000000400000-0x0000000001DEF000-memory.dmp

Filesize
25.9MB

Download
memory/4492-31-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/4492-34-0x00000000021F0000-0x00000000025F0000-memory.dmp

Filesize
4.0MB

Download
memory/4492-35-0x00007FFFF24D0000-0x00007FFFF26C5000-memory.dmp

Filesize
2.0MB

Download
memory/4492-37-0x0000000077060000-0x0000000077275000-memory.dmp

Filesize
2.1MB

Download