Overview

overview

10

Static

static

7

Aurora.exe

windows7-x64

10

Aurora.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Aurora.exe

  • Size

    21.3MB

  • Sample

    240726-xdf9bsxdmj

  • MD5

    416de11d210ae0ff50214021ff57b32b

  • SHA1

    3142453c18080b83d8dbdeba89524beea1c94ff3

  • SHA256

    72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850

  • SHA512

    e1f061f99e9e4e42c21269a32c9f3cfa711a8a95caf7628637d5606ae7846fc73ae982b0ee78646026c41e5c1e61e21a15829967d2fed534070e3c40e2731e4c

  • SSDEEP

    393216:TYTogFuaMaKQy6SSTMX3q7wLta40K3pNPS4n+yubbcEVPxEV+aqdvx1LB1x8NFN:TYT1Fu/6SSTMq+YK3Hx+3r5Np1FL8NF

Score
10/10
quasarredlinesectopratxmrigcheatthemdasdiscoveryevasionexecutioninfostealerminerpersistenceratspywarethemidatrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

154.81.220.233:28105

Extracted

Family

quasar

Version

1.4.1

Botnet

themdas

C2

auroraforge.art:55326

thesirenmika.com:55713
Mutex

0cbdfe7f-0215-41e8-a7b5-d4fbbc555089

Attributes
  • encryption_key

    A730DFF691ED1723ED88E36A2C5E7ED5CCF91DD1

  • install_name

    up2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Aurora.exe

    • Size

      21.3MB

    • MD5

      416de11d210ae0ff50214021ff57b32b

    • SHA1

      3142453c18080b83d8dbdeba89524beea1c94ff3

    • SHA256

      72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850

    • SHA512

      e1f061f99e9e4e42c21269a32c9f3cfa711a8a95caf7628637d5606ae7846fc73ae982b0ee78646026c41e5c1e61e21a15829967d2fed534070e3c40e2731e4c

    • SSDEEP

      393216:TYTogFuaMaKQy6SSTMX3q7wLta40K3pNPS4n+yubbcEVPxEV+aqdvx1LB1x8NFN:TYT1Fu/6SSTMq+YK3Hx+3r5Np1FL8NF

    Score
    10/10
    quasarredlinesectopratxmrigcheatthemdasdiscoveryevasionexecutioninfostealerminerpersistenceratspywarethemidatrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks