MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f313bf5d9b50d94ccfe4d22a0d1561e9d2b8cb525752ce15aaa7b53ca1d05f04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AuroraStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f313bf5d9b50d94ccfe4d22a0d1561e9d2b8cb525752ce15aaa7b53ca1d05f04
SHA3-384 hash: f0b69c528ae0474bdc86841d6e0f2382dcc5522b03c7c12dff01c7a26c1467d1e1020c9c98e752108ecb0310ea3c9414
SHA1 hash: 1afb7f9a834b62133c46da273b788b941cc58533
MD5 hash: 35c4199af620e774fc51228a61c3b226
humanhash: helium-fifteen-crazy-pennsylvania
File name:VirtualBox-7.0.2-154219-Win.exe
Download: download sample
Signature AuroraStealer
Create hunting rule
File size:798'720 bytes
First seen:2022-12-15 18:45:20 UTC
Last seen:2022-12-15 20:27:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 68 x LummaStealer, 61 x Rhadamanthys)
ssdeep 3072:eahKyd2n31yS5LvfiP1yaX3KmC5wBCgBCwfjL1c1pcSsP1XBRWf9:eahOcnHn9BF//1cUJ
Threatray 739 similar samples on MalwareBazaar
TLSH T1D005818137BA9416E88369304F47C78A9B1DFC9AFD3030573264F75E1ABADC71A68781
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b271e094c0f871b2 (1 x AuroraStealer, 1 x ArkeiStealer)
Reporter abuse_ch
Tags:AuroraStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VirtualBox-7.0.2-154219-Win.exe
Verdict:
Malicious activity
Analysis date:
2022-12-15 18:46:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a80ba3f-50d0-40f1-a0aa-42c514ac488f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/346749/
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.509.27240.8741.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Launching a process
Running batch commands
Unauthorized injection to a recently created process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
advpack.dll rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/639b6b6b2516648ad8c37b16/reports/9e00fa76-e9b2-4769-b4a8-406ee899db5e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/06eacca6-0681-46b1-bfe4-fa258546c594
Result
Threat name:
Aurora
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1135250
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Yara Aurora Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 767978 Sample: VirtualBox-7.0.2-154219-Win.exe Startdate: 15/12/2022 Architecture: WINDOWS Score: 84 56 Yara Aurora Stealer 2->56 58 .NET source code contains potential unpacker 2->58 60 Found many strings related to Crypto-Wallets (likely being stolen) 2->60 9 VirtualBox-7.0.2-154219-Win.exe 1 3 2->9         started        12 rundll32.exe 2->12         started        process3 file4 50 C:\Users\user\AppData\Local\...\BUSINE~3.EXE, PE32 9->50 dropped 14 BUSINE~3.EXE 15 4 9->14         started        process5 dnsIp6 54 wyndellribeiro.com.br 162.241.203.136, 443, 49695 OIS1US United States 14->54 66 Antivirus detection for dropped file 14->66 68 Multi AV Scanner detection for dropped file 14->68 70 Encrypted powershell cmdline option found 14->70 72 Injects a PE file into a foreign processes 14->72 18 BUSINE~3.EXE 14->18         started        22 cmd.exe 1 14->22         started        24 powershell.exe 16 14->24         started        26 BUSINE~3.EXE 14->26         started        signatures7 process8 dnsIp9 52 79.137.206.138, 49696, 8081 PSKSET-ASRU Russian Federation 18->52 62 Tries to harvest and steal browser information (history, passwords, etc) 18->62 28 cmd.exe 18->28         started        30 cmd.exe 18->30         started        32 WMIC.exe 1 18->32         started        64 Encrypted powershell cmdline option found 22->64 34 powershell.exe 21 22->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        signatures10 process11 process12 40 conhost.exe 28->40         started        42 WMIC.exe 28->42         started        44 conhost.exe 30->44         started        46 WMIC.exe 30->46         started        48 conhost.exe 32->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f313bf5d9b50d94ccfe4d22a0d1561e9d2b8cb525752ce15aaa7b53ca1d05f04/
Threat name:
ByteCode-MSIL.Ransomware.Crypmodng
Create hunting rule
Status:
Malicious
First seen:
2022-12-15 19:11:36 UTC
AV detection:
13 of 25 (52.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mj36xm3kdmuzt7e2iva2flb5hjlrs2sk5jm4fnku62tzioql4ca._file
Verdict:
malicious
Similar samples:
044fd4b9787d109ad1dad51d8858dd6834d261dcd0bdc88567078de1818fec3a
AuroraStealer
0d4089a9c33b6e2fbe05823f34c4c1bd1247a3438d9e0e5727a3aaf135accbac
AuroraStealer
300590c1d48c020440d2ac22e2dc14dd65c7455870f7a02dc2968a787b7c341b
AuroraStealer
5e445100682a5982df3301b2631e3be0d503df870175d50cf0faa3e374e742fd
AuroraStealer
7d1d1725b3b7a1c9afcbd895d8fcc09691f48456db400423cea633b0feb42a7f
AuroraStealer
8510c805a723653c83f6169c98434cd191db4543d1c351834d0ce55e38811f0a
AuroraStealer
93dc33973823843d0eba85f4f9f09561f37ff650129cdacc2ead9fffd8d131a1
AuroraStealer
cbb8c2cc3ac88bbd575fc3153fc67f43dde566fda8e7c244c0f50d1333f7c3f8
AuroraStealer
cd9f37a60525dedc196ebac70c6afe11013629b22674c4a2f09c74216024d2f7
AuroraStealer
d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e
AuroraStealer
+ 729 additional samples on MalwareBazaar
Result
Malware family:
aurora
Create hunting rule
Score:
  10/10
Tags:
family:aurora persistence spyware stealer
Link:
https://tria.ge/reports/221215-xelv7sda95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Aurora
Malware Config
C2 Extraction:
79.137.206.138:8081
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5fc581a7-e79f-4dfe-94f5-a0d8be99e35a
Unpacked files
SH256 hash:
f313bf5d9b50d94ccfe4d22a0d1561e9d2b8cb525752ce15aaa7b53ca1d05f04
MD5 hash:
35c4199af620e774fc51228a61c3b226
SHA1 hash:
1afb7f9a834b62133c46da273b788b941cc58533
Link:
https://www.unpac.me/results/997d69bb-de23-4693-a713-c6bd1f6637d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f313bf5d9b50d94ccfe4d22a0d1561e9d2b8cb525752ce15aaa7b53ca1d05f04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/346749/

Comments