aurora | 2f8afa5c2e8c5904f07fb09b4196bdf33a31f4fe9eb62c9774c59500e16675d9

Analysis

max time kernel
117s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 23:41

Target

3092939bde0ec7e9306daeb85977ba60N.exe
Size

4.9MB
MD5

3092939bde0ec7e9306daeb85977ba60
SHA1

54b2284e4834f33428061119574dd178f97932dc
SHA256

2f8afa5c2e8c5904f07fb09b4196bdf33a31f4fe9eb62c9774c59500e16675d9
SHA512

6475c8764d25a3659aa6ac27c9b5f83b09849bb2bd073041d7a1b5fd8474308829a620ed1a6c820f0e1e098bac14d32b046bff5af0058e421782f6d8669a1406
SSDEEP

49152:gexu0GaRHcIef7bVn/XJqmzXplalRkNP4a5wUKCf96Cwsu5o4aELTw4F0ah9gO+Y:zYYeXJJYnkNw8wTZssiahIMr

Score

10^/10

aurora stealer

Family

aurora

45.132.106.77:8081

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Suspicious use of SetThreadContext 1 IoCs

Processes:

3092939bde0ec7e9306daeb85977ba60N.exe

description pid process target process

PID 3872 set thread context of 1864 3872 3092939bde0ec7e9306daeb85977ba60N.exe RuntimeBroker.exe

description	pid	process	target process
PID 3872 set thread context of 1864	3872	3092939bde0ec7e9306daeb85977ba60N.exe	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

3092939bde0ec7e9306daeb85977ba60N.exe

description	pid	process	target process
PID 3872 wrote to memory of 1864	3872	3092939bde0ec7e9306daeb85977ba60N.exe	RuntimeBroker.exe
PID 3872 wrote to memory of 1864	3872	3092939bde0ec7e9306daeb85977ba60N.exe	RuntimeBroker.exe
PID 3872 wrote to memory of 1864	3872	3092939bde0ec7e9306daeb85977ba60N.exe	RuntimeBroker.exe
PID 3872 wrote to memory of 1864	3872	3092939bde0ec7e9306daeb85977ba60N.exe	RuntimeBroker.exe
PID 3872 wrote to memory of 1864	3872	3092939bde0ec7e9306daeb85977ba60N.exe	RuntimeBroker.exe
PID 3872 wrote to memory of 1864	3872	3092939bde0ec7e9306daeb85977ba60N.exe	RuntimeBroker.exe
PID 3872 wrote to memory of 1864	3872	3092939bde0ec7e9306daeb85977ba60N.exe	RuntimeBroker.exe
PID 3872 wrote to memory of 1864	3872	3092939bde0ec7e9306daeb85977ba60N.exe	RuntimeBroker.exe
PID 3872 wrote to memory of 1864	3872	3092939bde0ec7e9306daeb85977ba60N.exe	RuntimeBroker.exe
PID 3872 wrote to memory of 1864	3872	3092939bde0ec7e9306daeb85977ba60N.exe	RuntimeBroker.exe

C:\Windows\system32\RuntimeBroker.exe
C:\Windows\system32\RuntimeBroker.exe
2⤵
PID:1864

memory/1864-16-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-19-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-21-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-25-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-2-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-22-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-6-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-18-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-23-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-10-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-4-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-1-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-20-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-12-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/1864-8-0x0000000000400000-0x0000000000773000-memory.dmp

Filesize
3.4MB

Download
memory/3872-24-0x0000000000210000-0x000000000072A000-memory.dmp

Filesize
5.1MB

Download