MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 104210a3f5ffe91ed31b25eaa45a7cad6aaaa01e54b4e24ae10d9c86d0c91a42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AuroraStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 104210a3f5ffe91ed31b25eaa45a7cad6aaaa01e54b4e24ae10d9c86d0c91a42
SHA3-384 hash: 6fb18ea0248a2f926c45b659dd4f86bdd824083b57cb9f636e56f38076c7199ef55ec1bc6cbe2aec445257987c53a3b2
SHA1 hash: 5f75e695bbdca7994d62fe8aa4b3c5cd121bfc23
MD5 hash: 39ce2b13bacdce1889b3ac7addcd471b
humanhash: burger-cola-early-quiet
File name:C4Loader.exe
Download: download sample
Signature AuroraStealer
Create hunting rule
File size:1'163'776 bytes
First seen:2023-03-11 08:14:14 UTC
Last seen:2023-03-11 09:34:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8214c82953573f62086876b910c9e475 (1 x AuroraStealer, 1 x RedLineStealer)
ssdeep 3072:ZwiwPz+huH7liXb6QF45A6Nmn0+Q/ycdIwYioOAg0FujDgtNs1bDew:CiEoX2Qm5A10+QacpDAOIs1bDew
Threatray 31 similar samples on MalwareBazaar
TLSH T11835E5C0BC91C1F1D562373145E49A6C9B2BA823CB5349EBFF970B6E4A307C197E0A56
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AuroraStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C4Loader.exe
Verdict:
Malicious activity
Analysis date:
2023-03-11 08:15:23 UTC
Tags:
aurorastealer
Link:
https://app.any.run/tasks/f8af2120-1f13-4fce-b342-5be8ac9a2d05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373501/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.32355.6861.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Running batch commands
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Using obfuscated Powershell scripts
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72625/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware
Link:
https://www.filescan.io/uploads/640c3888d1a098efbc6290ef/reports/4e281fec-1bcf-41db-bf02-2bf0c40d3c30/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/104210a3f5ffe91ed31b25eaa45a7cad6aaaa01e54b4e24ae10d9c86d0c91a42
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Kraken
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f731690-5918-4f31-a102-80fe64a37952
Result
Threat name:
Aurora, Clipboard Hijacker, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1191615
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Powershell drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Very long command line found
Writes to foreign memory regions
Yara Aurora Stealer
Yara detected Clipboard Hijacker
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 824491 Sample: C4Loader.exe Startdate: 11/03/2023 Architecture: WINDOWS Score: 100 92 wowouch.net 2->92 94 clientbased.xyz 2->94 96 pastebin.com 2->96 102 Malicious sample detected (through community Yara rule) 2->102 104 Antivirus detection for URL or domain 2->104 106 Antivirus detection for dropped file 2->106 108 17 other signatures 2->108 11 C4Loader.exe 2->11         started        14 cmd.exe 2->14         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        signatures3 process4 signatures5 120 Contains functionality to inject code into remote processes 11->120 122 Writes to foreign memory regions 11->122 124 Allocates memory in foreign processes 11->124 126 Injects a PE file into a foreign processes 11->126 20 RegSvcs.exe 1 11->20         started        23 WerFault.exe 24 9 11->23         started        128 Uses cmd line tools excessively to alter registry or file data 14->128 27 conhost.exe 14->27         started        29 sc.exe 14->29         started        31 sc.exe 14->31         started        37 8 other processes 14->37 33 conhost.exe 16->33         started        35 conhost.exe 18->35         started        process6 dnsIp7 110 Very long command line found 20->110 112 Encrypted powershell cmdline option found 20->112 39 powershell.exe 15 27 20->39         started        98 192.168.2.1 unknown unknown 23->98 72 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->72 dropped file8 signatures9 process10 dnsIp11 100 connect2me.hopto.org 37.139.129.113, 3333, 443, 49711 LVLT-10753US Germany 39->100 74 C:\Users\user\AppData\Local\Temp\new2.exe, PE32+ 39->74 dropped 76 C:\Users\user\AppData\Local\Temp\SysApp.exe, PE32 39->76 dropped 78 C:\Users\user\AppData\...\SmartDefRun.exe, PE32+ 39->78 dropped 80 C:\Users\user\AppData\Local\...\C4Loader.exe, PE32 39->80 dropped 116 Powershell drops PE file 39->116 44 SmartDefRun.exe 39->44         started        48 new2.exe 11 39->48         started        51 SysApp.exe 2 39->51         started        53 2 other processes 39->53 file12 118 Detected Stratum mining protocol 100->118 signatures13 process14 dnsIp15 82 C:\Users\user\AppData\Local\...\cofklued.tmp, PE32+ 44->82 dropped 84 C:\Program Files\...\SmartScreenQC.exe, PE32+ 44->84 dropped 86 C:\Windows\System32\drivers\etc\hosts, ASCII 44->86 dropped 130 Antivirus detection for dropped file 44->130 132 Multi AV Scanner detection for dropped file 44->132 134 Modifies the hosts file 44->134 136 Adds a directory exclusion to Windows Defender 44->136 90 107.182.129.73, 49715, 8081 META-ASUS Reserved 48->90 138 Machine Learning detection for dropped file 48->138 140 Tries to harvest and steal browser information (history, passwords, etc) 48->140 55 cmd.exe 48->55         started        58 cmd.exe 48->58         started        60 WMIC.exe 48->60         started        88 C:\Users\user\AppData\...\fodhelper.exe, PE32 51->88 dropped file16 signatures17 process18 signatures19 114 Uses cmd line tools excessively to alter registry or file data 55->114 62 conhost.exe 55->62         started        64 WMIC.exe 55->64         started        66 conhost.exe 58->66         started        68 WMIC.exe 58->68         started        70 conhost.exe 60->70         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/104210a3f5ffe91ed31b25eaa45a7cad6aaaa01e54b4e24ae10d9c86d0c91a42/
Threat name:
Win32.Spyware.Aurorastealer
Create hunting rule
Status:
Malicious
First seen:
2023-03-11 08:20:38 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbbbbi7v77ur5uy3exvkiwt4vvvkvia6ks2oesxbbwoinugjdjba._file
Verdict:
malicious
Similar samples:
4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d
AuroraStealer
523c73801cb0175c81f507010d68ba97fc644a6ff84e5e6c0a79d5ec0b012b10
AuroraStealer
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f
AuroraStealer
88e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
AuroraStealer
cc8238f4425e62f6c878a84ac794db812c619508dc916e2bde50f7a5f6152ba5
AuroraStealer
cde83c58766ae18bd516cfa78098c411fd1d0ebff083896f35fc33b10afa0e50
AuroraStealer
dcdf6845df1e1aed6f335dd6f2a3ff7351984522235937e5c4a1c746c7fe4371
AuroraStealer
eab9a40c5379d460e7d5f3d11c2b766ce8674c2240110e063fecb0c651e0dd67
AuroraStealer
+ 21 additional samples on MalwareBazaar
Result
Malware family:
aurora
Create hunting rule
Score:
  10/10
Tags:
family:aurora evasion spyware stealer
Link:
https://tria.ge/reports/230311-j5kh6sgh95/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Stops running service(s)
Aurora
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
107.182.129.73:8081
Unpacked files
SH256 hash:
104210a3f5ffe91ed31b25eaa45a7cad6aaaa01e54b4e24ae10d9c86d0c91a42
MD5 hash:
39ce2b13bacdce1889b3ac7addcd471b
SHA1 hash:
5f75e695bbdca7994d62fe8aa4b3c5cd121bfc23
Link:
https://www.unpac.me/results/cc804453-23d5-4af7-be5c-a7daf9949cc3/
Malware family:
Aurora
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/104210a3f5ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/104210a3f5ffe91ed31b25eaa45a7cad6aaaa01e54b4e24ae10d9c86d0c91a42

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373501/

Comments