Overview

overview

10

Static

static

3

Aura.exe

windows7-x64

3

Aura.exe

windows10-2004-x64

10

Resubmissions

29-06-2024 09:31

240629-lg563sxglj 10

29-06-2024 09:28

240629-lfeyhaxfrk 10

29-06-2024 09:23

240629-lcqktsxfmk 10

Analysis

  • max time kernel
    79s
  • max time network
    87s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Aura.exe

  • Size

    493KB

  • MD5

    7e7b8be8a1f1ef05c932ea1e8eab6590

  • SHA1

    f790227a5148d6cba037c24643306f330c6fe5f4

  • SHA256

    c7383b039d569cc256026d6b7985bb763f36530708bca3e4f82fa130d2d7dfbb

  • SHA512

    c57fc80bf97309ca887c88526fc586b080d47c4f2ebe611d40f94f48c0af2b7c56cec19f0379a5bc27bd6a0e2f75bdb7953c05bcc1069633812bbd22649ef890

  • SSDEEP

    12288:qGlz1vS9p1+kOwILHmKfZcBg688m/Iezfihoto8:qyNSgJqBg6NmAeehn

Score
10/10
redline@hitok4111infostealer

Malware Config

Extracted

Family

redline

Botnet

@hitok4111

C2

94.228.166.68:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Aura.exe
    "C:\Users\Admin\AppData\Local\Temp\Aura.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:4280
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 276
        2⤵
        • Program crash
        PID:4952
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4048 -ip 4048
      1⤵
        PID:4456
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4148
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3484" "10292" "10244" "10296" "0" "0" "10300" "10304" "0" "0" "0" "0"
          1⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:4484

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/4048-0-0x0000000003000000-0x0000000003001000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4280-1-0x0000000000400000-0x0000000000450000-memory.dmp
          Filesize

          320KB

          Download
        • memory/4280-2-0x000000007474E000-0x000000007474F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4280-3-0x00000000056E0000-0x0000000005C84000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/4280-4-0x00000000051D0000-0x0000000005262000-memory.dmp
          Filesize

          584KB

          Download
        • memory/4280-5-0x0000000005190000-0x000000000519A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/4280-6-0x0000000074740000-0x0000000074EF0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4280-7-0x0000000006670000-0x0000000006C88000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4280-8-0x0000000008000000-0x000000000810A000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/4280-9-0x0000000007F10000-0x0000000007F22000-memory.dmp
          Filesize

          72KB

          Download
        • memory/4280-10-0x0000000007F70000-0x0000000007FAC000-memory.dmp
          Filesize

          240KB

          Download
        • memory/4280-11-0x0000000007FB0000-0x0000000007FFC000-memory.dmp
          Filesize

          304KB

          Download
        • memory/4280-12-0x000000007474E000-0x000000007474F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4280-13-0x0000000074740000-0x0000000074EF0000-memory.dmp
          Filesize

          7.7MB

          Download