{
	"id": "5eaebae4-0782-471e-b0cc-b27dbffdb2f3",
	"created_at": "2026-04-06T01:29:41.065896Z",
	"updated_at": "2026-04-10T13:12:10.656049Z",
	"deleted_at": null,
	"sha1_hash": "8b27321c0c8126dbd3555581b7d9dd335bd011cb",
	"title": "eSentire Threat Intelligence Malware Analysis: Aurora Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 26741413,
	"plain_text": "eSentire Threat Intelligence Malware Analysis: Aurora Stealer\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-06 01:04:42 UTC\r\nSince December 2022, the eSentire Threat Response Unit (TRU) has observed Aurora Stealer malware infections\r\nin the manufacturing industry. It's distributed via fake Google Ads for Notepad++ installer. Aurora Stealer gathers\r\nsensitive data, including cookies, autofill information, and encrypted passwords from browsers such as Opera,\r\nBrave, Mozilla Firefox, Chrome, etc. However, it is worth noting that the stealer does not collect credentials from\r\nMozilla Firefox.\r\nThe malware is priced at $125USD per month, $300USD for 3 months access, and $1,000USD for lifetime access.\r\nIn order to avoid detection from antivirus scanners, the binary code is filled with junk bytes to increase the file\r\nsize.\r\nThis malware analysis delves deeper into the technical details of how the Aurora Stealer malware operates and our\r\nsecurity recommendations to protect your organization from being exploited.\r\nKey Takeaways\r\nThe Aurora Stealer developer is actively working on the Aurora botnet, which includes various modules\r\nsuch as the loader, DDoS (distributed denial-of-service), crypto wallet brute-force,\r\nHVNC/HRDP/RDP/VNC, Nmap scanner.\r\nAurora Stealer stores its configurations in base64-encoded format.\r\nThe stealer logs are sent to a C2 via a default port 8081 in a GZIP-compressed, base64-encoded, JSON\r\nformat.\r\nAurora Stealer is equipped with grabber and loader modules that allow it to collect specific files and\r\nfolders, as well as introduce additional malware onto a system.\r\nCase Study Aurora Stealer\r\nDrive-by downloads are becoming increasingly common as attackers find new ways to access and exfiltrate\r\nsensitive data.\r\nSince December 2022, the eSentire Threat Response Unit (TRU) has observed several Aurora Stealer infections in\r\nthe manufacturing industries. The stealer is distributed via Google Ads as a fake Notepad++ installer,\r\nTeamViewer, Nvidia Driver, etc. (Figures 1-3)\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 1 of 35\n\nFigure 1: Malicious Google Ads\r\nFigure 2: Fake Notepad++ page distributing Aurora Stealer\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 2 of 35\n\nFigure 3: Fake TeamViewer downloader page distributing Aurora Stealer\r\nThe stealer uses the Cheshire cat from Alice in Wonderland as its mascot and began appearing for sale on Russian-speaking forums in early 2022. The stealer is written in Golang, capable of stealing over 90 crypto wallets, and\r\nhas an embedded Loader module that includes the downloader and PowerShell; the developer claims that the\r\nstealer does not need any dependencies to function.\r\nThe stealer also has a web panel, which does not require the operator to work directly from the dedicated server\r\ncalled “dedik” as slang in Russian hacking forums (Russian: дедик). The dedicated server is the one hosting the\r\nstealer and processing the logs. The stealer is priced $125 for one month of access, $300 for 3 months of access,\r\nand $1000 for lifetime access. The stealer does not work in Russia and CIS (Commonwealth of Independent\r\nStates) countries (Figures 4-6).\r\nFigure 4: Aurora Stealer seller on the Russian-speaking forum\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 3 of 35\n\nFigure 5: Aurora Stealer reseller\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 4 of 35\n\nFigure 6: Pricing on Aurora Stealer compared to other stealers on the market\r\nAt the time of this writing, the malware developer advertised that the pre-orders come with lifetime access to\r\nAurora Botnet and Aurora Stealer, including all the modules such as DDoS, SiteScanner, Loader, Brute Force,\r\nPowerShell/CMD execution, etc. (Figure 7).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 5 of 35\n\nFigure 7: Pre-order advertisement on Aurora Stealer's Telegram channel\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 6 of 35\n\nThe cost for the pre-order is $1000. The botnet is a separate panel that allows an attacker to execute remote\r\ncommands and perform specific tasks on the hosts, remote in using hVNC/HRDP/RDP/VNC (Figures 8-10).\r\nFigure 8: Botnet panel (1)\r\nFigure 9: Botnet panel (2)\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 7 of 35\n\nFigure 10: Botnet panel (3)\r\nThe Aurora stealer login can also be seen in Figure 11. A snippet of the Aurora manual for setting up and\r\nleveraging the malware can be seen in Figure 12.\r\nFigure 11: Aurora Stealer authentication panel\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 8 of 35\n\nFigure 12: Snippet of the manual on how to set up the stealer\r\nSo, how does it spread?\r\nAurora Stealer is spread via installs (Russian: инсталл), also known as Pay-Per-Install (PPI) services, traffers\r\n(Russian: трафферы), or Google Ads. Pay-Per-Install (PPI) is a type of online advertising model where\r\nadvertisers pay publishers a commission for every installation of their software or application that occurs as a\r\nresult of the publisher's promotion. The end-user would be redirected to an attacker’s landing page (Russian slang:\r\nленд), where they download the malicious stealer payload.\r\nThe installs can also spread the stealer via the already infected hosts. The hosts can be infected with other malware\r\nfamilies such as RATs (Remote Access Trojans). One of the popular install services that Aurora Stealer uses is\r\nInstallLabs (Figure 13).\r\nTraffers are groups of people that are responsible for spreading the stealers via the links to the download pages via\r\nsocial media platforms such as Facebook and YouTube. The worker (Russian: воркер) is the individual within the\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 9 of 35\n\ntraffics group that is responsible for spreading the stealer.\r\nFigure 13: InstallLabs ad on Russian-speaking forum\r\nHow can the stealer remain undetected?\r\nTo evade antivirus scanners, the attacker(s) usually fill the stealer binary with junk bytes to increase the file size,\r\narchive, and password-protect it. Aurora Stealer allows users to pack or add junk bytes into the build (stealer\r\npayload) to increase the file size for detection and sandbox evasion (Figure 14).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 10 of 35\n\nFigure 14: Build panel\r\nThe increase in the file size can significantly impact the stealer execution rate (Russian: отстук). The stealer\r\nexecution rate is used to assess the quality of data transmission from the sender to the server. The better the quality\r\nof data transmission, the higher likelihood that the attacker receives all the stolen logs.\r\nThe attacker(s) can bypass SmartScreen controls by purchasing an EV certificate. SmartScreen is a security\r\nfeature in Microsoft Windows that warns users about potentially unsafe websites and downloads. It uses a\r\ndatabase of known threats and machine learning algorithms to identify new and suspicious behavior.\r\nAn EV (Extended Validation) certificate is a type of digital certificate used to authenticate and secure online\r\ncommunication. It verifies the identity of a website's owner and displays a green address bar in the browser to\r\nindicate that the site is trustworthy. Commonly used by financial and e-commerce websites, EV certificates are\r\nconsidered the highest level of validation and can be expensive to purchase (Figure 15).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 11 of 35\n\nFigure 15: EV Certificate is being sold on Telegram\r\nEV certificates can also be used to bypass User Account Control (UAC) alerts, which is a security feature in\r\nWindows operating systems that helps prevent unauthorized changes to a computer. When a user attempts to\r\nperform an action that requires elevated permissions, such as installing software or changing system settings, a\r\nUAC alert appears on the screen, asking the user to confirm the action.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 12 of 35\n\nThe Case of a Cheshire Cat\r\nThe infection starts with the basic reconnaissance commands spawning from wmic.exe and cmd.exe (Figure 16):\r\nwmic os get Caption – returns the name of the operating system installed on the computer.\r\nCmd/C “wmic cpu get name” – returns the processor’s name on the computer.\r\ncmd /C “wmic path win_32_VideoController get name” – returns the name of the video controller on\r\nthe computer.\r\nFigure 16: Infection chain\r\nAs mentioned before, the stealer binary is written in Go Programming language, the stealer binary without any\r\nsize pumping and crypting, which involves obfuscating and encrypting the binary, is 2.96 MB in size.\r\nThe Aurora developer(s) offer their own crypting service for $40/1 crypt, $300/10 crypts (Figure 17).\r\nFigure 17: Crypt pricing\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 13 of 35\n\nThe function responsible for enumerating the GPU, CPU, and the caption of the operating system (gets the OS\r\ninformation) is shown in Figures 18-20. The gathered information is then sent to the stealer’s panel and is\r\ncontained in a text file named “UserInformation”.\r\nFigure 18: Enumeration function (1)\r\nFigure 19: Enumeration function (2)\r\nFigure 20: Enumeration function (3)\r\nThe stealer mainly uses win, the Windows API package for Go, to perform specific tasks such as taking the\r\nscreenshot of the host using the APIs such as CompatibleBitmap, CreateCompatibleDC, GetDC, and BitBlt\r\n(Figure 21).\r\nFigure 21: Screenshot capture function\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 14 of 35\n\nThe stealer retrieves the GUID of the infected machine via querying for the MachineGuid parameter under\r\nSOFTWARE\\Microsoft\\Cryptography (Figure 22).\r\nFigure 22: Function responsible for getting the MachineGuid\r\nThe functions shown below are responsible for getting the infected machine's screen size and containing the Build\r\nID, Build Group. The collected information is also written in the “UserInformation” text file (Figure 23).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 15 of 35\n\nFigure 23: Function containing the Build Group, Build ID, and functions responsible for getting the\r\nscreen size\r\nAurora Stealer gathers sensitive data, including cookies, autofill information, and encrypted passwords from\r\nbrowsers such as Opera, Brave, Mozilla Firefox, Chrome, etc. The gathered information is temporarily stored\r\nunder the %temp% folder (Figure 24). However, it is worth noting that the stealer does not collect credentials\r\nfrom Mozilla Firefox.\r\nFigure 24: Temporarily stored data under %temp%\r\nUnder the function main_getMasterKey, we can see the references to os_crypt, encrypted_key, and DPAPI (Figure\r\n25).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 16 of 35\n\nFigure 25: References to os_crypt, encrypted_key, DPAPI\r\nDPAPI (Data Protection Application Programming Interface) is used, for example, to store cookies and password\r\ninformation for Chrome browsers DPAPI uses APIs CryptProtectData and CryptUnprotectData to encrypt and\r\ndecrypt data accordingly.\r\nChrome stores the DPAPI-encrypted AES key, which is the Master Key under os_encrypted.encrypted_key in a\r\nbase64-encoded format. To be able to decrypt the saved credentials and cookies, Aurora Stealer needs to decode\r\nthe base64-encoded string and call the CryptUnprotectData function, then remove the padding from the master\r\nkey.\r\nAurora Stealer has multiple Grabber functions that are responsible for collecting additional data such as crypto\r\nwallets, screenshots, files, Telegram, etc. (Figure 26)\r\nFigure 26: Main grabber functions\r\nThe stealer also grabs the files from the folder “Windows.old” which stores the backup copy of the previous\r\nWindows installation if applicable (Figure 27).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 17 of 35\n\nFigure 27: Grabber function to collect the backup files from the previous version of Windows\r\nThis grabber function searches for crypto wallets under AppData\\Roaming (Figure 28), for example, for leveldb\r\nfiles that store the private keys:\r\nAppData\\Roaming\\Guarda\\Local Storage\\leveldb\r\nAppData\\Roaming\\atomic\\Local Storage\\leveldb\r\nFigure 28: Grabber function responsible for crypto wallet search\r\nBelow is the grabber function for the Telegram tdata folder that would let the attacker authenticate into the\r\nvictim’s Telegram on the Desktop version by placing the tdata folder in the same folder as the Telegram client\r\n(Figure 29).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 18 of 35\n\nFigure 29: Snipper of Grabber function that searches for Telegram tdata\r\nJust like other stealers such as Redline, Raccoon Stealer, and Vidar Stealer, Aurora Stealer has two modules:\r\ngrabber and loader. The grabber module retrieves the files or folders specified by an attacker. The gathered\r\nfiles/folders would then be archived in a zip file named temp.zip, stored under %userprofile% (Figure 30-31).\r\nThe “END_PACKET_ALL_SEND” message is likely used for debugging logs.\r\nFigure 30: Grabber module (1)\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 19 of 35\n\nFigure 31: Grabber module (2)\r\nThe stealer stores the loader (Figure 32), grabber, and the general configuration information within the build in the\r\nbase64-encoded form (Figure 33). The loader module has two options:\r\nDownload and Run – the attacker specifies the direct download link to the additional payload.\r\nPowerShell – the attacker specifies the PowerShell command to run on the host.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 20 of 35\n\nFigure 32: Loader module\r\nFigure 33: Loader configuration\r\nThe Loader module, where:\r\nDW is the downloader parameter.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 21 of 35\n\nPS is the PowerShell parameter.\r\nUnicID is the unique identifier.\r\nArgument contains the loader task.\r\nThe loader downloader module pulls an executable from the file hosting server at the end of the stealer execution\r\nand places it under the %temp% folder. The stealer executes the secondary payload using “start-process”\r\nPowershell cmdlet, as shown in Figure 34.\r\nFigure 34: Loader Downloader module\r\nThe Grabber module configuration contains the path specified by an attacker to grab certain files/folders from.\r\n“FoF” parameter is likely the marker for whether the file folder grabber is specified (Figure 35).\r\nFigure 35: Grabber configuration\r\nAurora Stealer stores its build configuration at the end of the binary in the base64-encoded format (Figure 36).\r\nHowever, the configuration will likely be stripped if the stealer is encrypted.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 22 of 35\n\nFigure 36: Configuration blob\r\nWe wrote the configuration extractor script in Python for Aurora Stealer that looks for base64-encoded patterns\r\nwithin the binary.\r\nThe function main_ConnectToServer attempts to connect to the C2 server while printing the log messages, it\r\nsleeps after attempting to reconnect for one second and retries if the connection is unsuccessful (Figure 37).\r\nFigure 37: main_ConnectToServer function\r\nIf the connection is successful, the function exits with code “666” and log message “BLACK ZONE”.\r\nmain_PathTrans function is responsible for replacing the strings such as ^user^, ^document^, and ^desktop^\r\nwithin the Grabber configuration with the paths of Desktop, Document, and %userprofile% (Figure 38).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 23 of 35\n\nFigure 38: main_PathTrans function\r\nMarch 2023 Update\r\nIn March 2023, the stealer developer released the first update since October 2022, as shown in Figure 39.\r\nFigure 39: March update\r\nOne of the major changes is the stealer’s capabilities to grab FTP (FileZilla) and RDP credentials as well as the\r\nability to change the ports to the stealer’s panel and C2 communications and specify extensions, disk drives for the\r\ngrabber module (Figure 40-41).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 24 of 35\n\nFigure 40: Port settings in the panel\r\nFigure 41: Snippet of the FTP grabber\r\nBesides the WMIC commands mentioned at the beginning of this report, the stealer developer added two new\r\ncommands to run upon the execution of the malware:\r\ncmd.exe /c \"wmic csproduct get uuid\": the command retrieves the universally unique identifier (UUID)\r\nof the computer's system product\r\nsysteminfo: The command is used to display detailed information about the operating system, hardware,\r\nand software components of a Windows computer system\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 25 of 35\n\nUpon the execution of the stealer, PowerShell processes are spawned to copy the browsing data such as cookies,\r\nhistory, and credentials to AppData\\Local\\Temp directory under a randomly named folder, the example command:\r\npowershell \"\" \"copy \\\"C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login\r\nData\\\" \\\"C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\\u003crandom_folder\u003e\\\"\"\r\nC2 Communication \u0026 Stealer Logs\r\nAurora Stealer uses port 8081 for default communication with the C2 server, so prior to the stealer installation on\r\nthe attacker’s server, it’s required to enable port 8081 through the firewall for the incoming traffic (Figure 42).\r\nFigure 42: Stealer logs sent to the C2 server\r\nThe stealer logs are sent to the C2 server in JSON format, GZIP-compressed and base64-encoded. The stealer logs\r\nare stored in the Aurora build folder in the format [Country]HWID_BuildID (Figure 43-44).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 26 of 35\n\nFigure 43: Stealer logs\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 27 of 35\n\nFigure 44: Stealer logs (UserInformation file)\r\nThe cache folder contains the database files extracted from the infected host with cookies and credentials in the\r\nencrypted format as well as debug logs (Figure 45).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 28 of 35\n\nFigure 45: Cache folder\r\nThe stealer can also be configured to send stealer logs via Telegram where CDD is the “Cookies Detected” and\r\nPDD is the “Passwords detected”.\r\nThe attacker(s) can also configure to receive the stealer logs via Telegram (Figure 46).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 29 of 35\n\nFigure 46: Telegram notification settings\r\nHow eSentire is Responding\r\nOur Threat Response Unit (TRU) combines threat intelligence gained from research and security incidents to\r\ncreate practical outcomes for our customers. We are taking a comprehensive response approach to combat modern\r\ncybersecurity threats by deploying countermeasures, such as:\r\nPerforming global threat hunts for indicators associated with Aurora Stealer.\r\nImplementing threat detections to identify malicious command execution and ensure that eSentire has\r\nvisibility and detections are in place across eSentire MDR for Endpoint.\r\nOur detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center)\r\nanalysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures.\r\nIn addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts\r\nretroactive threat hunts to assess customer impact.\r\nRecommendations from eSentire's Threat Response Unit (TRU)\r\nWe recommend implementing the following controls to help secure your organization against Aurora Stealer\r\nmalware:\r\nConfirm that all devices are protected with Endpoint Detection and Response (EDR) solutions\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 30 of 35\n\nImplement a Phishing and Security Awareness Training (PSAT) Program that educates and informs your\r\nemployees on emerging threats in the threat landscape.\r\nEncourage your employees to use password managers instead of using the password storage feature\r\nprovided by web browsers. Use master passwords where it’s applicable.\r\nWhile the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which\r\ncritical business decisions must be made. Preventing the various attack technique and tactics utilized by the\r\nmodern threat actor requires actively monitoring the threat landscape, developing and deploying endpoint\r\ndetections, and the ability to investigate logs \u0026 network data during active intrusions.\r\neSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat\r\nintelligence and leverage new machine learning models that correlate multi-signal data and automate rapid\r\nresponse to advanced threats.\r\nIf you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and\r\nput your business ahead of disruption.\r\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an\r\neSentire Security Specialist.\r\nYara rule\r\nrule AuroraStealer {\r\n meta:\r\n author = \"eSentire Threat Intelligence\"\r\n description = \"Detects the Build/Group IDs if present / detects an unobfuscated AuroraSteale\r\n date = \"3/24/2023\"\r\n strings:\r\n $b1 = { 48 8D 0D ?? ?? 04 00 E8 ?? ?? EF FF }\r\n $b2 = { 48 8D 0D ?? ?? 05 00 E8 ?? ?? EF FF }\r\n $ftp = \"FOUND FTP\"\r\n $go = \"Go build ID\"\r\n $machineid = \"MachineGuid\"\r\n condition:\r\n 3 of them\r\n}\r\nMITRE ATT\u0026CK\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 31 of 35\n\nMITRE\r\nATT\u0026CK Tactic\r\nID\r\nMITRE\r\nATT\u0026CK\r\nTechnique\r\nDescription\r\nMITRE ATT\u0026CK Tactic\r\nReconnaissance\r\nID\r\nT1592\r\nMITRE ATT\u0026CK\r\nTechnique\r\nGather Victim\r\nHost Information\r\nDescription\r\nDuring initial execution, Aurora Stealer gathers\r\nthe information on the OS, processor name and\r\nvideo controller\r\nMITRE ATT\u0026CK Tactic\r\nInitial Access\r\nID\r\nT1189\r\nMITRE ATT\u0026CK\r\nTechnique\r\nDrive-by\r\nCompromise\r\nDescription\r\nAurora Stealer is delivered via a website hosting a\r\nfake software installer\r\nMITRE ATT\u0026CK Tactic\r\nDefense Evasion\r\nID\r\nT1027.001\r\nMITRE ATT\u0026CK\r\nTechnique\r\nBinary Padding\r\nDescription\r\nAurora Stealer contains the file pump feature upon\r\ncreating the build to add null bytes to the stealer\r\npayload\r\nMITRE ATT\u0026CK Tactic\r\nCredential Access\r\nID\r\nT1555\r\nT1555.003\r\nMITRE ATT\u0026CK\r\nTechnique\r\nCredentials from\r\nWeb Browsers\r\nDescription\r\nAurora Stealer steals sensitive data from browsers\r\nincluding credentials, cookies and saved credit\r\ncards as well as FTP and RDP credentials\r\nMITRE ATT\u0026CK Tactic\r\nDiscovery\r\nID\r\nT1082\r\nMITRE ATT\u0026CK\r\nTechnique\r\nSystem\r\nInformation\r\nDiscovery\r\nDescription\r\nThe stealer enumerates the host for hardware and\r\ngeographical information as well as the screen size\r\nMITRE ATT\u0026CK Tactic ID MITRE ATT\u0026CK\r\nTechnique\r\nDescription\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 32 of 35\n\nCollection T1113 Screen Capture The stealer takes the screenshot from the infected\r\nmachine and sends it to the C2\r\nMITRE ATT\u0026CK Tactic\r\nExfiltration\r\nID\r\nT1020\r\nMITRE ATT\u0026CK\r\nTechnique\r\nAutomated\r\nExfiltration\r\nDescription\r\nThe stealer automatically exfiltrates the gathered\r\nfiles to C2. File grabbing options can be\r\ncustomized by an attacker\r\nIndicators of Compromise\r\nName Indicators\r\nAurora Stealer 306fc85ff1c7e06f631c37d60d4ad98b\r\nAurora Stealer da1548613d5fa9520931952675f92ca9\r\nAurora Stealer 16b349b80ef9e6d6a86e768b4e01fc4c\r\nAurora Stealer aa349ad45bb48e85b5cd1b55308ae835353859219f28ece9685c8ae552e8e63a\r\nC2 212.87.204.93:8081\r\nC2 185.106.93.245:8081\r\nC2 185.106.93.135:8081\r\nC2 195.123.218.52:8081\r\nAppendix\r\nhttps://www.esentire.com/security-advisories/increased-activity-in-google-ads-distributing-information-stealers\r\nhttps://twitter.com/1ZRR4H/status/1618136958596960256?s=20\u0026t=UWEJ4jIxIg4XXv384Ibwow\r\nhttps://www.passcape.com/index.php?section=docsys\u0026cmd=details\u0026id=28#14\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata\r\nhttps://unit42.paloaltonetworks.com/credential-gathering-third-party-software/\r\nhttps://github.com/RussianPanda95/Configuration_extractors/blob/main/aurora_config_extractor.py\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 33 of 35\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 34 of 35\n\nSource: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer\r\nPage 35 of 35",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer"
	],
	"report_names": [
		"esentire-threat-intelligence-malware-analysis-aurora-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775438981,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b27321c0c8126dbd3555581b7d9dd335bd011cb.pdf",
		"text": "https://archive.orkl.eu/8b27321c0c8126dbd3555581b7d9dd335bd011cb.txt",
		"img": "https://archive.orkl.eu/8b27321c0c8126dbd3555581b7d9dd335bd011cb.jpg"
	}
}