Overview

overview

10

Static

static

10

Aurora.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    6s
  • max time network
    6s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-06-2024 02:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Aurora.exe

  • Size

    25.9MB

  • MD5

    fbf3377a2792a5c659b324758e1a3424

  • SHA1

    f6aec1d479dec9971c83f042dd641951edd4e05f

  • SHA256

    27ef1ed7a6cd92d08e23da1e80f3889fbab55b504e633d914983b69c17e2e7dc

  • SHA512

    67d092f5ef7c559f7b5eecb734e8b9c896a35ab354f3eb9ce98173a13b2a0ad303662267b705817028f2785530bcfecb6150e123a2ca22680b820503506c346d

  • SSDEEP

    196608:+QPY9mgGvkHEAsdtLRVRXgFqKQbEZxRHY:6M7sHEAEtLNXgFqxbEZxK

Score
10/10
aurorarhadamanthysshurkinfostealerstealer

Malware Config

Signatures

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

    stealeraurora
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Aurora.exe
    "C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
      "C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
      2⤵
      • Executes dropped EXE
      PID:3640
    • C:\Users\Admin\AppData\Local\Temp\main.exe
      "C:\Users\Admin\AppData\Local\Temp\main.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:200
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
    Filesize

    25.4MB

    MD5

    ad9aa927339dc830a38021afbe20a85f

    SHA1

    8017bea5f073064a27f61390ce6433cc110f55ea

    SHA256

    6815733e84bc19b0e7d24533f6295c929cd48be501b226e3a9fd12806a7a4e71

    SHA512

    43d95d09404f4407083f25ac59f9c31855ed715309037be6ba9e05d26af3ee073e786ee2d12f72f3e1fedebf8529c8b31dc2b7e485ab08b7e21fce2abcf260fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\main.exe
    Filesize

    479KB

    MD5

    eb580bc45a382527d2f1ff80c542bd9d

    SHA1

    0b95c965fe80c9b9d9270be74817a8771bb02daa

    SHA256

    99bd6ee7da4edad447fba55a6b11538927013586ef617e70a0ff4765adae22db

    SHA512

    a3f4563d4ee61a0bdc612c849f13711af961514cbe3ce48ab9af0b905c8df278f470e902bc50b64d95055f2bd69fd288bba1dd0405caf9e4a42585cdf6b3e23c

    Download Submit

  • memory/200-19-0x0000000075580000-0x0000000075742000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/200-8-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/200-21-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/200-15-0x0000000003150000-0x0000000003550000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/200-16-0x0000000003150000-0x0000000003550000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/200-17-0x00007FF84FDF0000-0x00007FF84FFCB000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3308-20-0x0000000002EA0000-0x0000000002EA9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3308-23-0x00000000049D0000-0x0000000004DD0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3308-26-0x0000000075580000-0x0000000075742000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3308-24-0x00007FF84FDF0000-0x00007FF84FFCB000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3640-14-0x00007FF7FB7A0000-0x00007FF7FD0AB000-memory.dmp

    Filesize

    25.0MB

    Download

  • memory/4612-10-0x0000000000400000-0x0000000001DEF000-memory.dmp

    Filesize

    25.9MB

    Download