MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AuroraStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449
SHA3-384 hash: 0414781dc1f28028ba42691efede482a21ace38196009ca13563b25ed717250461b1954ccb7543e9da16f4e2c534f9d1
SHA1 hash: 27eaed777470e6a9f855894b2af3c7baa1c812eb
MD5 hash: d442830fc92de9465d9bf425922173a5
humanhash: happy-avocado-echo-sodium
File name:file
Download: download sample
Signature AuroraStealer
Create hunting rule
File size:5'018'112 bytes
First seen:2023-03-17 16:18:19 UTC
Last seen:2023-03-17 19:32:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:9j3/I9FTuPXPlGUi317EPTiu0ENWS5ywGDZHU:9/MF4l5GgUEMSrwU
Threatray 8 similar samples on MalwareBazaar
TLSH T1363612BAB9E5FF0AD8778538C560B335D12A9C129253850DD3DB3210BEB27EC2D86D58
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 736934fc4de8cc92 (4 x Quakbot, 3 x Gozi, 1 x CryptBot)
Reporter andretavare5
Tags:AuroraStealer exe


Avatar
andretavare5
Sample downloaded from https://transfer.sh/get/eMXXrE/2aa22.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-17 16:19:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7cd2bba-2e0d-4c11-b82e-f882da781875

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375161/
Detection(s):
SecuriteInfo.com.Trojan.TR.Dropper.Gen.23766.25026.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Launching a process
Creating a process with a hidden window
Running batch commands
Creating a file in the %temp% directory
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive obfuscated packed
Link:
https://www.filescan.io/uploads/641492f8b236355850d692b7/reports/8c041247-93fc-4214-ae9f-e4ab9befb07e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Aurora Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/146eafe9-e2d9-44fb-8f98-4eaf544f82f2
Result
Threat name:
Aurora
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1196030
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara Aurora Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 828932 Sample: file.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Antivirus detection for URL or domain 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 5 other signatures 2->46 8 file.exe 3 2->8         started        process3 file4 36 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->36 dropped 48 Injects a PE file into a foreign processes 8->48 12 file.exe 11 8->12         started        16 file.exe 8->16         started        18 file.exe 8->18         started        signatures5 process6 dnsIp7 38 138.201.198.8, 49695, 8081 HETZNER-ASDE Germany 12->38 50 Tries to harvest and steal browser information (history, passwords, etc) 12->50 20 cmd.exe 1 12->20         started        22 cmd.exe 1 12->22         started        24 WMIC.exe 1 12->24         started        signatures8 process9 process10 26 WMIC.exe 1 20->26         started        28 conhost.exe 20->28         started        30 WMIC.exe 1 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-03-17 16:19:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lcjkspjipipexwl7wcnxtnxcv5legebvchzwpdecclwiap7twreq._file
Verdict:
malicious
Similar samples:
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
AuroraStealer
2e5260973969192f9cc166487adb128832e22f2752b176359c51264a6e5d7faa
AuroraStealer
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
AuroraStealer
48392e0c0969580a9eaa9fa882b543b319ea08e6492d3a6819bc0c5b64d78396
AuroraStealer
51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d
AuroraStealer
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
AuroraStealer
b7318a38055034579cfb6799fd2cb264a6ef1a9f5d6952970474e4139374ef73
AuroraStealer
Result
Malware family:
aurora
Create hunting rule
Score:
  10/10
Tags:
family:aurora spyware stealer
Link:
https://tria.ge/reports/230317-tsg8dsha88/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Aurora
Malware Config
C2 Extraction:
138.201.198.8:8081
Unpacked files
SH256 hash:
fedcc7ae634cd8aee8ec53458cc08beccb27b0fd78d64695994e0bcdce3a9ddc
MD5 hash:
02b24cce59910ed99cf99dd58d0521b9
SHA1 hash:
9a7bb988a2ca84ed11428c5ffa98a5bba2e4d7ab
Link:
https://www.unpac.me/results/499b6065-3716-4e0b-a9ea-56ab80a844ac/
SH256 hash:
6af134b823ad52ba91f6639ecec063ed1271e4f06ccc8c7cf933dfd871553a36
MD5 hash:
6d9b4eeed3af580f200b49b9977eead4
SHA1 hash:
9013a28cc2b7675cf1fc3c9c8d5688c3e3066093
Link:
https://www.unpac.me/results/499b6065-3716-4e0b-a9ea-56ab80a844ac/
SH256 hash:
8d2bb7a2e7ecfc9851a3794332e86f16dacedb865426a9dfe1a2eb8d629afca9
MD5 hash:
7d111b693996ed29a75f1f8126d80e61
SHA1 hash:
43ec972004723eb31e7e3edacfda556e46dfd6e5
Link:
https://www.unpac.me/results/499b6065-3716-4e0b-a9ea-56ab80a844ac/
SH256 hash:
5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449
MD5 hash:
d442830fc92de9465d9bf425922173a5
SHA1 hash:
27eaed777470e6a9f855894b2af3c7baa1c812eb
Link:
https://www.unpac.me/results/499b6065-3716-4e0b-a9ea-56ab80a844ac/
Malware family:
Aurora
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5892a93d287a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Aurora
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/5892a93d287a1e4bd97fb09b79b6e2af5643103511f3678c8212ec803ff3b449

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_aurora_stealer_a_706a
Create hunting rule
Author:Johannes Bader
Description:detects Aurora Stealer samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/375161/
  
URLhaus
https://urlhaus.abuse.ch/url/2575243/
  
URLhaus
https://urlhaus.abuse.ch/url/2571811/

Comments