Overview

overview

10

Static

static

1

XOVLAUNCHER.rar

windows10-1703-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    59s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29-08-2024 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XOVLAUNCHER.rar

  • Size

    1.5MB

  • MD5

    756829ec0d4d18d94f16c4a96a085a93

  • SHA1

    9f969e7e7f8af031a3436f4f017010488177bc71

  • SHA256

    c6ac37ecc79400cf18c368318d7d06acaa01da055400867b85849b3622d2381c

  • SHA512

    b04836e28158336c4e8482ef3e03d2e7dbaba61d8c97d4280dc1c13bd23c2fadc2090673f6a3bcb851dba918e892596dcfef408ced0c2b966ba4c280491f787e

  • SSDEEP

    24576:Ccm8v+tBIz8VazDOL6cUQXYp7jfgaMHsgLJbzEjqq+N9wFkOm2ONLV+cT55qFuWb:CtI/DOLpXYyaMZ5moHwINB+cV5qRqMx1

Score
10/10
aurorastealer

Malware Config

Extracted

Family

aurora

C2

146.19.24.118:8081

Signatures

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

    stealeraurora
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\XOVLAUNCHER.rar
    1⤵
    • Modifies registry class
    PID:3220
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5004
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2236
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XOVLAUNCHER.rar"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1456
    • C:\Users\Admin\Desktop\XOVLAUNCHER.exe
      "C:\Users\Admin\Desktop\XOVLAUNCHER.exe"
      1⤵
      • Executes dropped EXE
      PID:2724

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\XOVLAUNCHER.exe
      Filesize

      4.4MB

      MD5

      bebf44172a15aae24667e4ae86b5b467

      SHA1

      c6197bdb47a1df44c06eebb9e67179fd0ba1c12f

      SHA256

      db440efc6d026b48a8ebc3784ad9f9cd6c6ee17941720b7b6b4d3c20e8d06d52

      SHA512

      72ade5b9e5e5d63ed8b65c989bbe0da9a18cccde6d264b482968a0e4253f4959cbaa42509f0d4f58fe6e7ccafd6dae4958a54d106e68bb364013d4a657a3a8c8

      Download Submit