MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 1136c9de55d2b906975ee695b073bb214e464f619d3ec0c4d2629ebd75a73485. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AuroraStealer
Vendor detections: 5
| SHA256 hash: | 1136c9de55d2b906975ee695b073bb214e464f619d3ec0c4d2629ebd75a73485 |
|---|---|
| SHA3-384 hash: | ad72d82d075f6511cc5f0eca98f06dbaa686e6558e6f6e07a502a6f84676ba70ca87d0c907259ce8155f382c8349ef39 |
| SHA1 hash: | b857d253ffb680f470fa67602873d348e4de27ef |
| MD5 hash: | 87a4ab8a77ea800305e47ebdfc5db7ab |
| humanhash: | arizona-twenty-maine-virginia |
| File name: | java_win64_n1wp7ux1va.zip |
| Download: | download sample |
| Signature | AuroraStealer |
| File size: | 6'265'059 bytes |
| First seen: | 2023-02-15 07:09:00 UTC |
| Last seen: | Never |
| File type: | zip |
| MIME type: | application/zip |
| ssdeep | 98304:Lngh7MfXqskWDOt0pX+xmNtv6fyX8b8L9JcZ7Zxfti64qD8aKHo78C:RXqKDOt0pX+Ev6fc8bQcNQ6rJ7J |
| TLSH | T13F56331D42C49295E78F4DF8963F4CD9EA00E50CF2A46BE17E88A1734A7E4BA45E1F31 |
| TrID | 80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1) |
| Reporter |  abuse_ch |
| Tags: | AuroraStealer file-pumped malvertising nvidia zip |
abuse_ch
AuroaStealer distributed through malvertising campaign on Google Search, targeting "nvidia" brand:nvidia.services
-> nvidia1.top
--> https://opticas30.com/java_win64_n1wp7ux1va.exe
AuroraStealer botnet C2:
45.15.156.210:8081
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 45.15.156.210:8081 | https://threatfox.abuse.ch/ioc/1069795/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
104
Origin country :
CHFile Archive Information
This file archive contains 1 file(s), sorted by their relevance:
| File name: | java_win64_n1wp7ux1va.exe |
|---|---|
| Pumped file | This file is pumped. MalwareBazaar has de-pumped it. |
| File size: | 283'568'129 bytes |
| SHA256 hash: | 8fb273ba752804302bb87573a297953beabe4c99c05d21c7cb4825d9fff3cd0a |
| MD5 hash: | 340c6577104ffaa3f46abc51ce55018a |
| De-pumped file size: | 10'938'368 bytes (Vs. original size of 283'568'129 bytes) |
| De-pumped SHA256 hash: | 29ea64279217578a0e44987a46e5928e1ab377f1d2f54a32180098aafcc03d5c |
| De-pumped MD5 hash: | db93296a4cec200f11a60fe824ff86f5 |
| MIME type: | application/x-dosexec |
| Signature | AuroraStealer |
Vendor Threat Intelligence
Gathering data
Result
Verdict:
MALICIOUS
Link:
Threat name:
Win64.Trojan.Pwsx
Status:
Malicious
First seen:
2023-02-15 07:10:38 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
5 of 38 (13.16%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
aurora
Score:
10/10
Tags:
family:aurora persistence spyware stealer
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Aurora
Malware Config
C2 Extraction:
45.15.156.210:8081
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
AuroraStealer
zip 1136c9de55d2b906975ee695b073bb214e464f619d3ec0c4d2629ebd75a73485
(this sample)
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.