General

  • Target

    Aurora.exe

  • Size

    21.3MB

  • Sample

    240726-xs6grssanb

  • MD5

    54b11d48df518b331d6e26e991cb7b07

  • SHA1

    ac4ac7f296744fef3bdba55600e99b7e50196b45

  • SHA256

    cad0ea7aa29ccb61cd2c595e27921c89e6fed8b0275d86c5560fcde21a1554bc

  • SHA512

    bf40e890b14162dbbb170579806a81293040dd7855eabf4cdaa14849aeb3cb5ea9f7b017cec7d9bc5a6f934f4f320e97aecb486eaea1aef8fda6fec0ad507b1b

  • SSDEEP

    393216:TYTogFuaMaKQy6SSTMX3q7wLta40K3pNPS4n+yubbcEVPxEV+aqdvx1LB1x8NFN:TYT1Fu/6SSTMq+YK3Hx+3r5Np1FL8NF

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

154.81.220.233:28105

Extracted

Family

quasar

Version

1.4.1

Botnet

themdas

C2

auroraforge.art:55326

thesirenmika.com:55713

Mutex

0cbdfe7f-0215-41e8-a7b5-d4fbbc555089

Attributes
  • encryption_key

    A730DFF691ED1723ED88E36A2C5E7ED5CCF91DD1

  • install_name

    up2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Aurora.exe

    • Size

      21.3MB

    • MD5

      54b11d48df518b331d6e26e991cb7b07

    • SHA1

      ac4ac7f296744fef3bdba55600e99b7e50196b45

    • SHA256

      cad0ea7aa29ccb61cd2c595e27921c89e6fed8b0275d86c5560fcde21a1554bc

    • SHA512

      bf40e890b14162dbbb170579806a81293040dd7855eabf4cdaa14849aeb3cb5ea9f7b017cec7d9bc5a6f934f4f320e97aecb486eaea1aef8fda6fec0ad507b1b

    • SSDEEP

      393216:TYTogFuaMaKQy6SSTMX3q7wLta40K3pNPS4n+yubbcEVPxEV+aqdvx1LB1x8NFN:TYT1Fu/6SSTMq+YK3Hx+3r5Np1FL8NF

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner payload

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks