{
	"id": "c2de7895-ff06-4b46-989f-43c9c71f30ef",
	"created_at": "2026-04-06T00:21:57.272317Z",
	"updated_at": "2026-04-10T13:12:14.072995Z",
	"deleted_at": null,
	"sha1_hash": "b97b14a6dbd47851784d9c874b2b4faa91955fe2",
	"title": "Aurora Stealer Builder",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1281064,
	"plain_text": "Aurora Stealer Builder\r\nBy Mohamed Adel\r\nPublished: 2023-04-23 · Archived: 2026-04-05 19:40:55 UTC\r\nin the previous article, I discussed what’s inside Aurora Stealer. After the release, @Gi7w0rm provided me samples of some\r\nversions of Aurora Stealer builder, a new version that was created recently and another one that was created in 2022. The\r\nnewer version has some improvements in the builder and new features we will discuss in this article. Before we start this\r\narticle, it is important to note that the Builder also contains and creates the Web panel to control the bots. This means the\r\nbinaries we are looking at are actually a hybrid between a builder and a panel.\r\nIn main_main the first display page is prepared to accept the credentials of the user and start checking them. It first displays\r\nan ASCII art of the word Aurora and provides communication channels for contacting the Aurora developers.\r\nAfter the initial screen, it saves the UUID of the user, with the same function discussed before to make sure that only one\r\nuser is using the builder.\r\nThen it asks for the login and password of the user\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 1 of 30\n\nAfter the credentials where provided, it calls main_createAccess . it saves the string 123 It passes the directory\r\n./cache/Auth.aurora to a function called main_exists that checks if the file exists or not. If it existed it will ask for\r\nhand deleting it, if not it will create it.\r\nIt appends the UUID and the string AURORA_TECHNOLOGY and calculates the MD5 hash to it using the form\r\n\u003cUUID\u003eAURORA_TECNOLOGY\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 2 of 30\n\nafter which it takes this hash to make a string in the following form:\r\n123_aurora_\u003cMD5_OF(\u003cUUID\u003eAURORA_TECNOLOGY)\u003e_technology_123\r\nThen the SHA1 hash is calculated for this string:\r\nIt generates the first string again and its MD5 hash. It uses the MD5 hash as a key for the AES GCM encryption routine. The\r\ngenerated bytes are then written to ./cache/Auth.aurora\r\nTo know what was written to the file, we can use this script:\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\nfrom Crypto.Cipher import AES\r\nimport binascii\r\n# key is MD5 hash of \u003cUUID\u003eAURORA_TECHNOLOGY\r\nkey = b\"\u003cKEY\u003e\"\r\n# Auth.aurora content\r\ncipher = \"\u003cCIPHER\u003e\"\r\ndata = binascii.unhexlify(cipher)\r\nnonce, tag = data[:12], data[-16:]\r\ncipher = AES.new(key, AES.MODE_GCM, nonce)\r\ncleartext = cipher.decrypt_and_verify(data[12:-16], tag)\r\nprint(cleartext)\r\n# cleartext is SHA1 hash of the string \"123_aurora_\u003cMD5_OF(\u003cUUID\u003eAURORA_TECNOLOGY)\u003e_technology_123 \"\r\nwhich shows us the SHA-1 Hash of the string: 123_aurora_\u003cMD5_OF(\u003cUUID\u003eAURORA_TECNOLOGY)\u003e_technology_123\r\nGoing back to main_main , where it creates yet another hash:\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 3 of 30\n\nThis time, the password and login is used to create a string using the following form\r\n\u003cLOGIN\u003e_*Aurora_2023_Technology_\u003cPASS\u003e. then it calculates the SHA1 hash of it.*\r\nThen, it calls main_server . This could be where the authentication of the user happens, just a hypothesis.\r\nit sleeps 1000000000 nanoseconds. Then it makes a TCP connection with 185.106.93.237:56763 which seems to be the\r\nserver where user authentication is done.\r\nIf the connection is established, it calls main_DynamicKey which generates a key based on the current minutes in the current\r\ntime, In America/Los_Angeles time format.\r\nand calculate the SHA1 hash of it.\r\nBack in the main_Server function the builder then puts all the hashes in JSON format to be sent to the server.\r\nthe remote server then verifies the given data and response with one of the few response strings below:\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 4 of 30\n\nResponse Action\r\nHWID_BAD [Aurora] HWID has a different value on the license server, write support\r\nNOT_FOUND_ACCOUNT [Aurora] Account has been not found, wrong login or password.\r\nLOST_LICENSE [Aurora] License expired.\r\nDYNAMIC_KEY [Aurora] Dynamic key wrong, check time your OS or write support.\r\nI tried to emulate the C2 communication with fakenet. After a very long time trying to do that. it works to respond to it with\r\nthe format of data it waits for, but there is something still missing.\r\nI edited the configs of the TCPListener of fakenet as can be seen below:\r\n1. In default.ini edit the default configs to the following:\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n[RawTCPListener]\r\nEnabled: True\r\nPort: 56763 # port it comm over\r\nProtocol: TCP\r\nListener: RawListener\r\nUseSSL: No\r\nTimeout: 100\r\nHidden: False\r\n# To read about customizing responses, see docs/CustomResponse.md\r\nCustom: sample_custom_response.ini\r\n2. Create or use the sample_custom_response.ini provided to contain the following, this is already set by default:\r\n1\r\n2\r\n3\r\n[ExampleTCP]\r\nInstanceName: RawTCPListener\r\nTcpDynamic: CustomProviderExample.py\r\n1. The builder waits for a JSON string delimited by the character 0x0A if this is not in the response it will wait forever.\r\nAs a result CustomProviderExample.py should contain a JSON string ending with 0x0A , I was testing with the following\r\ncode:\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 5 of 30\n\n1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\ndef HandleTcp(sock):\r\n \"\"\"Handle a TCP buffer.\r\n Parameters\r\n ----------\r\n sock : socket\r\n The connected socket with which to recv and send data\r\n \"\"\"\r\n while True:\r\n try:\r\n data = None\r\n data = sock.recv(1024)\r\n except socket.timeout:\r\n pass\r\n if not data:\r\n break\r\n resp = b'{\"Test\":\"test\",\"Test2\":\"Test2\"}\\x0A'\r\n sock.sendall(resp)\r\nA value of the JSON string accepted must be the Dynamic key which is generated based on the local time of the user.\r\nThis Dynamic key is calculated again and the two values are compared in order to check if the sample is being debugged.\r\nNice!\r\nLicense info and IP used\r\nThe JSON strings also contain some other information about the User and the license\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 6 of 30\n\nAlso, it contains an IP that is used later in some other interesting functions. the author expects only one IP to be used by the\r\nbuilder.\r\nIt calls convTstring which takes a generic value -any type- and converts it to a string. I don’t really know why it calls\r\nconvTstring as it is an IP it would be passed as a string in the JSON. maybe later we realize what’s going on here.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 7 of 30\n\nWe see some calls to runtime.newProc . This function generates a new go running function and put it in a running Queue\r\nof other go functions waiting to run. This is generated by the compiler when using go keyword. Interested topic hah? Read\r\nmore about it here. Sadly it makes debugging more difficult.\r\nBack to the JSON data, it’s decoded with json.Unmashal function which takes a structure as an input and with the second\r\nparameter being the data in bytes. How is the data mapped to the structure? Well, according to Go documentation\r\nHow does  Unmarshal  identify the fields in which to store the decoded data? For a given JSON\r\nkey  \"Foo\" ,  Unmarshal  will look through the destination struct’s fields to find (in order of preference):\r\nAn exported field with a tag of  \"Foo\"  (see the Go spec for more on struct tags),\r\nAn exported field named  \"Foo\" , or\r\nAn exported field named  \"FOO\"  or  \"FoO\"  or some other case-insensitive match of  \"Foo\" .\r\nWhat happens when the structure of the JSON data doesn’t exactly match the Go type?\r\nUnmarshal will decode only the fields that it can find in the destination type\r\nSo, we should guess the names of the JSON data. One of them is Dynamic key but we should figure out how it’s decoded.\r\nWe can use the pattern of the previously sent data, It was called DK . Sadly, this and other attempts didn’t work. So, I will\r\ncontinue the other things only static in IDA.\r\nMain Functionality\r\nThe main functionality of the builder is invoked with a series of goroutine calls. Each called function is preparing some data\r\nto be used later or to start the server itself. This serves as the main function of the builder.\r\nThe first function of the series of newProc calls is main_LoadToDB which loads a very huge file called geo.aurora that\r\ncontains a list of IP ranges all over the world.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 8 of 30\n\nViewing the cross-reference we can deduce that it is used to identify the geo-location of a victim.\r\nA sample of the content of geo.Aurora can be seen below. The file contains ~380MB of data like this.\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n 10\r\n 11\r\n 12\r\n 13\r\n 14\r\n 15\r\n 16\r\n 17\r\n 18\r\n 19\r\n 20\r\n 21\r\n 22\r\n 23\r\n 24\r\n 25\r\n 26\r\n 27\r\n 28\r\n 29\r\n[\r\n {\r\n \"Country_short\": \"AU\",\r\n \"City\": \"Queensland\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.0.0\",\r\n \"Out\": \"1.0.0.255\"\r\n },\r\n {\r\n \"Country_short\": \"CN\",\r\n \"City\": \"Fujian\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.1.0\",\r\n \"Out\": \"1.0.3.255\"\r\n },\r\n {\r\n \"Country_short\": \"AU\",\r\n \"City\": \"Victoria\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.4.0\",\r\n \"Out\": \"1.0.7.255\"\r\n },\r\n {\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 9 of 30\n\n30\r\n 31\r\n 32\r\n 33\r\n 34\r\n 35\r\n 36\r\n 37\r\n 38\r\n 39\r\n 40\r\n 41\r\n 42\r\n 43\r\n 44\r\n 45\r\n 46\r\n 47\r\n 48\r\n 49\r\n 50\r\n 51\r\n 52\r\n 53\r\n 54\r\n 55\r\n 56\r\n 57\r\n 58\r\n 59\r\n 60\r\n 61\r\n 62\r\n 63\r\n 64\r\n 65\r\n 66\r\n 67\r\n 68\r\n 69\r\n 70\r\n 71\r\n 72\r\n 73\r\n 74\r\n 75\r\n 76\r\n 77\r\n 78\r\n 79\r\n 80\r\n 81\r\n 82\r\n 83\r\n 84\r\n 85\r\n 86\r\n 87\r\n 88\r\n 89\r\n 90\r\n 91\r\n 92\r\n 93\r\n 94\r\n \"Country_short\": \"CN\",\r\n \"City\": \"Guangdong\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.8.0\",\r\n \"Out\": \"1.0.15.255\"\r\n },\r\n {\r\n \"Country_short\": \"JP\",\r\n \"City\": \"Tokyo\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.16.0\",\r\n \"Out\": \"1.0.16.255\"\r\n },\r\n {\r\n \"Country_short\": \"JP\",\r\n \"City\": \"Tokyo\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.17.0\",\r\n \"Out\": \"1.0.31.255\"\r\n },\r\n {\r\n \"Country_short\": \"CN\",\r\n \"City\": \"Guangdong\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.32.0\",\r\n \"Out\": \"1.0.63.255\"\r\n },\r\n {\r\n \"Country_short\": \"JP\",\r\n \"City\": \"Hiroshima\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.64.0\",\r\n \"Out\": \"1.0.64.255\"\r\n },\r\n {\r\n \"Country_short\": \"JP\",\r\n \"City\": \"Hiroshima\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.65.0\",\r\n \"Out\": \"1.0.66.255\"\r\n },\r\n {\r\n \"Country_short\": \"JP\",\r\n \"City\": \"Hiroshima\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.67.0\",\r\n \"Out\": \"1.0.67.255\"\r\n },\r\n {\r\n \"Country_short\": \"JP\",\r\n \"City\": \"Hiroshima\",\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 10 of 30\n\n95\r\n 96\r\n 97\r\n 98\r\n 99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n106\r\n107\r\n108\r\n109\r\n110\r\n111\r\n112\r\n113\r\n114\r\n115\r\n116\r\n117\r\n118\r\n119\r\n120\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.68.0\",\r\n \"Out\": \"1.0.68.127\"\r\n },\r\n {\r\n \"Country_short\": \"JP\",\r\n \"City\": \"Miyagi\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.68.128\",\r\n \"Out\": \"1.0.69.255\"\r\n },\r\n {\r\n \"Country_short\": \"JP\",\r\n \"City\": \"Hiroshima\",\r\n \"Region\": \"\",\r\n \"Zipcode\": \"\",\r\n \"Timezone\": \"\",\r\n \"In\": \"1.0.70.0\",\r\n \"Out\": \"1.0.71.255\"\r\n },\r\n....\r\n]\r\nThe second function is to get the status of the infected systems. This includes a check if the bot is active, the last connection\r\ntime of the bot, and the current time.\r\nThe third function deletes all the screenshots stored in the bot directory!\r\nIt sorts the pictures to be deleted by _ in it, then it gets what has ACTUAL word in it, lastly, it deletes the file extension\r\n.png from the string using strings.Trim and the new string should be a number as it calls strconv.atoi and then gets\r\nthe current time. What a mess!\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 11 of 30\n\nIt then proceeds to finally delete the file.\r\nCommand Receiver\r\nThe next function is main_CommandReceiver . It queues the commands received by the builder.\r\nThe function map.Range has the definition:\r\n1 func (m *Map) Range(f func(key, value any) bool)\r\nwhere f is a function called for each \u003ckey,value\u003e pair. So the variable CMD_QUEUE would contain the received commands.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 12 of 30\n\nGoing through the function main_CommandReceiver_func2 we see that the software first checks if the received command is\r\nSTOP . If the STOP command is received, the builder exits.\r\nFor all other commands, it goes to another function main_CommandReceiver_func2_1 . It’s expecting a 3-character long\r\ncommand MIX .\r\nIt packs data about the victims with GZip and base64 encode it then, stores it back using map.store\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 13 of 30\n\nThere were some log messages related to other commands here. However, I couldn’t figure out how the commands are\r\ntreated. Based on the sample I discussed in a previous article, I guess this is connected to the messages sent from the victim\r\nmachine.\r\nMain server functionality\r\nThe server is now ready to work and build the graphical interface of the builder to view the victim’s data and state and\r\nfurther use the victims as Bots and Stealer hosting servers using SFTP.\r\nNext function is main_SERVER_func1 it calls main_ForwardPort with argument :7367\r\nThen this function calls aurora_core_server__Server_Start , this long value is passed with the port number passed to its\r\ndriver function\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 14 of 30\n\nThis function starts the main server that displays the dashboard. I tried to adjust the execution to continue, but the program\r\ncrashed.\r\nNote: SixSixSix is the author of the Stealer and not my username.\r\nBack to function main_Server_0 ( main_Server ).\r\nIt logs the start of the server in the main display.\r\nThe server is started using net.Listen function that takes the protocol = tcp and port = 456 .\r\nMain Client\r\nAfter setting up the Server, the function main_server_func2 is called.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 15 of 30\n\nThis function only calls the main_Client function.\r\nHandling incoming data\r\nTo handle incoming data from the victim, the panel/builder reads the data on the listening port using\r\nbufio__Reader_ReadString. This data must be delimited by 0x0A as discussed previously. It comes in a compressed\r\nformat, so the function main_uncompress is used to decompress it.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 16 of 30\n\nTo do so, the function takes the base64 encoded data and decodes it, then it is decompressed using GZip. You might\r\nremember from my last article, that this is the way the data was sent from the victim’s device.\r\nThe data is in form of JSON so it’s extracted with a call to json.Unmarshal . The resulting data is then stored in a victim\r\ndatabase file. The last message is additionally stored in the map function.\r\nOne of the first packets received from the victim is a large base64 blob. After decoding it using the above-mentioned\r\nmethod, it can be seen that this blob is a screenshot from the victim’s machine.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 17 of 30\n\nThis image is used to update the screenshot that contains _ACTUAL.png . The old one is then deleted.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 18 of 30\n\nThe other screenshots are stored in a similar way but the name is different.\r\nIt updates the stolen victim data as well, and the last response from each infected host is stored in the previously created\r\nmap.\r\nmain_GetGeo is then called. If we remember, the loaded JSON string was referenced in this function.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 19 of 30\n\nIt parses the string IP to convert to IP to a Go IP type which is a decimal dotted IP address.\r\nThen it goes through a very large loaded JSON string that contains every IP range associated to each region all over the\r\nworld.\r\nThe new victims will have an identifier is the string MIX that is checked to handle the new victims\r\nIf the victim is new, it will store the screenshot with _ACTUAL tag as discussed before but there is no old one to delete.\r\nAt the very end of the function, a call to main_Registration is made. This function just adds a new entry to the victims’\r\nlist and gets the geolocation of the victim.\r\nMain web server\r\nAt the beginning of the function main_Server there was a goroutine that I missed initially. It calls main_web before the\r\ncall to net.Listen .\r\nmain_web initializes the web interface of the builder and the dashboard with all of its functionality. the server starts at port\r\n8181 .\r\nThe function follows the same pattern to set the methods of the handler for APIs:\r\nThe following table contains all available APIs with their associated handlers:\r\nAPI\r\nAPIHandler\r\nname\r\nAPIHandler\r\naddress\r\nDescription\r\ngetbots main_web_func1 0x7635A0\r\nList all the victims by walking through\r\nmain_BOT_CONN map\r\ncallback main_web_func2 0x763800\r\nget the callback message of each victim through the\r\nmain_BOT_LASTMESSAGE or Queriyng the raw\r\nquery of the connection address and get the message\r\nassociated with victim IP\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 20 of 30\n\nAPI\r\nAPIHandler\r\nname\r\nAPIHandler\r\naddress\r\nDescription\r\ncallback_STR main_web_func3 0x763A00\r\nget the callback message string for each victim stored\r\nat main_BOT_LASTMESSAGE_STRING\r\ncallback_ps main_web_func4 0x763C00\r\nget the PowerShell response of each victim through\r\nmain_BOT_POWERSHELL_MESSAGE or Queriyng\r\nthe raw query of the connection address and get the\r\nPowerShell message.\r\nStatistic main_web_func5 0x763E00\r\nshows statistics about the victims stored in .Aurora file\r\nin ./bots/ folder and redirects to web/statistic.html html\r\ntemplate. The statistics show all the users with their IP\r\naddresses and geolocation\r\nsend_pw main_web_func6 0x764428\r\nsends a base64 encoded PowerShell command to the\r\nvictim using the json format. The associated key in the\r\nquery is argument string\r\nGiveMeBuild main_web_func7 0x7648E0\r\nchecks\\builds the executable file of the stealer .The\r\nbuild file is stored in .\\build it first checks if it exists on\r\nthe system. if exists, tries to read it. If read is not\r\nsuccessfully done, it exits. If not, the author prepared\r\nthe file to be sent as an attachment for another remote\r\nsystem. it’s sent in the Content-deposition as follows:\r\nContent-Desposition: attachment = .exe\r\nsend main_web_func8 0x764E60\r\nsends cmd \\ PowerShell commands to the victims.\r\nThey are sent through the argument key in the URL\r\nraw query\r\nsftp_stop_reverse main_web_func9 0x7655A0\r\ncloses the SFTP connection with the victims and closes\r\nthe associated port forwarding functionality. Also, it\r\ndeletes the entry associated with the deleted victim’s\r\nSFTP connection in main_BOT_CLIENT_SFTP map\r\nsftp_reverse main_web_func10 0x765820\r\nstart a SFTP server with the victim. the connection is\r\ndone through port 7273 . The successful connection is\r\nindicated by WORK string. the configuration and data\r\nabout the connection in the associated maps\r\nmain_BOT_CLIENT_SFTP ,\r\nmain_BOT_LASTMESSAGE . This reverse shell is\r\nthen used to host the stealer. The infected Bots can be\r\nused in DoS attacks too.\r\nscreenshot main_web_func11 0x766540\r\nTakes a screenshot of the victim, it first checks if it’s\r\nactive. SHA1 hash is calculated to the png file to see if\r\nthe screenshot is the same as the stored or not before\r\nupdating the database of the victims. the process is\r\nidentified by Bad or Good statement.\r\nbot main_web_func12 0x766C00\r\ndisplays the status of the bots and all information ,\r\nonline boots its geo location, SFTP connected bots in\r\nthe web/bot.html html template page. it also reads the\r\ncontent of ./core/scr_n_f.png but I don’t see any use of\r\nit. It encodes the data in it and then redirect to bot.html\r\nlogout main_web_func13 0x767680 Logs out!\r\nauth main_web_func14 0x767780\r\nAuthenticate the access of the client. It uses the file\r\n./cache/Auth.Aurora to compare its content with the\r\nnewly calculated hashes as discussed before.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 21 of 30\n\nAPI\r\nAPIHandler\r\nname\r\nAPIHandler\r\naddress\r\nDescription\r\ndashboard main_web_func15 0x767BA0\r\nThe dashboard of the stealer, which shows some data\r\nabout the active and offline Bots.\r\ndel_cmd main_web_func16 0x768220\r\ndeletes a registered command from the\r\nmain_CMD_QUEUE assigned to the victim\r\ncommands main_web_func17 0x768380\r\ndisplay the command selection interface in the\r\nweb/commands.html html template\r\nAddCommand main_web_func18 0x768840\r\nadd a new command to the victim commands list, it\r\nreads the assigned commands JSON data and adds a\r\nnew command to it buy calling main_AddCommand\r\nthat updates main_CMD_QUEUE map assigned to the\r\nvictim.\r\nAddLoaderCommand main_web_func19 0x768B60\r\nadd loader command. reads the response of the\r\nClient.Get() method and then the associated JSON data\r\nand base64 encode it. There are some strings used in\r\nthe identification like EXTERNAL_RUN_PE_X64 .\r\nthe data then stored in the associated map\r\n(main_CMD_QUEUE) and the victims DB\r\nnet.Query in Go parses the raw query and returns the values.\r\n1\r\n2\r\n3\r\n4\r\n5\r\nu, err := url.Parse(\"https://example.com/?a=1\u0026b=2\")\r\nq := u.Query()\r\n// q will have the values associated to a \u0026 b\r\nfmt.Println(q.Get(\"a\")) // print 1\r\nfmt.Println(q.Get(\"b\")) // print 2\r\nThere’s another sample provided to me, executable\r\nhash33fc61e81efa609df51277aef261623bb291e2dd5359362d50070f7a441df0ad\r\nThis sample looks like it was one of the first trials of the author to create a stealer in Go. It depends on so many additional\r\nlegitimate packages from GitHub to create the server and handle the database manipulation and some other things. In the\r\nnewer builder, it seems like he got more familiar with the Go Language and didn’t rely on the packages from GitHub.\r\nThe package used to grab the favicon (from the first GitHub account), create the GUI web application (the second account),\r\nprovide sqlite3 interface and provide a library like ReadLine in C.\r\nThe repositories are in the following table:\r\nThe old sample has some functions that were described before, which were extended in the 2023 version. The hash\r\ncalculation method and dynamic key but instead of Aurora_Stealer_2023 it is Aurora_Stealer_2022 . Then it connects to\r\nthe remote server to authenticate the user data, to the IP 185.106.93.237:6969 using TCP protocol.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 22 of 30\n\nAnother dynamic key is used to authenticate with the server, based on the current time too however in the old sample the\r\nstring Aurora_Stealer_SERVER is used.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 23 of 30\n\nThis key is sent to the remote server and calculated later in the following code to verify the user access and the dynamic key\r\nto make sure there is no debugging session started.\r\nIf the keys do not match, the function breaks and the program is terminated.\r\nAnother dynamic key is calculated but this time for the client, it uses the string Aurora_Stealer_2033 with the same timing\r\nmethod of calculation discussed.\r\nThe hashes are stored then in ATX.Aurora in ./cache folder.\r\nIt then checks the existence of some files: ./cache/ATX.Aurora , ./cache/telegram.Aurora , ./cache/Config.Aurora\r\nand ./cache/Trash .\r\n./cache/Trash contains older Aurora executables, the older executables are auto-moved to this folder using PowerShell\r\ncommand, and the new version, which is expected to be in .zip format with the name Update.zip , is then unzipped and\r\nreplaces the older version. The program is then restarted using PowerShell. This is all done in main_AutoUpdate function.\r\nThe function main_ReadTGData reads telegram data from the file ./cache/telegram.Aurora which is AES encrypted. The\r\nauthentication is done using a telegram bot through the telegram API. This authentication method is removed from the new\r\nversion, where everything is done through communicating with the remote server.\r\nThe old builder additionally contains an important function called main_LoadStealer . This function calls two other\r\ngoroutines. both two functions execute PowerShell commands that configure the firewall to allow it to receive incoming\r\nTCP connections through Port 80 and 8081.\r\n1\r\n2\r\n3\r\n4\r\n#function main_LoadStealer_func2 allow it on local port 80\r\nnetsh advfirewall firewall add rule name=”Port 80 dir=in action=allow protocol=TCP localport=80\r\n#function main_LoadStealer_func2 allow it on local port 80\r\nnetsh advfirewall firewall add rule name=”Port 8081 dir=in action=allow protocol=TCP localport=8081\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 24 of 30\n\nAt the end of the main function, it creates a new hidden instance of CMD and starts the Web service of the stealer. using the\r\nfunction main_StartWeb\r\nThis function starts the web service on localhost http://127.0.0.1/dashboard . It has a different set of APIs and different\r\nassociated handlers then the newer version.\r\nThe command strings are highlighted.\r\nAPI APIHandler name\r\nAPIHandler\r\naddress\r\nDescription\r\nreceive main_StartWeb_func1 0x140421B00\r\nIt receives the incoming commands and connects\r\nto the remote server 185.106.93.237:6969 to get\r\nmatch the stored hashes with the calculated one in\r\nform of Aurora\u003cPASSWORD .this function has a\r\nlot of other functionality. it reads the command\r\nfrom the response of the server. It allows the user\r\nto delete a directory Delete, remove file grabber\r\nRemoveG, or remove the loader\r\nRemoveL.GEO_URL to get the geolocation of all\r\nvictims. AddDmen Add a new domain name\r\nreceived from the server.BuildGen builds a new\r\nversion of the stealer and the ability to increase\r\nthe file size PumbMB.DeleteTG , AddTelegram\r\ndelete\\add telegram configuration.DeleteAll\r\nDelete all the configs.ChangePassword , change\r\npassword and download all logs files\r\nDownload_AllLogs. Download_OnlyCrypto\r\ndownloads the crypto wallet information only.\r\napi.exe main_StartWeb_func2 0x140421B60\r\nadds a new telegram API key to the stealer and\r\nadds an icon using resource hacker cmd command\r\n./resource/ResourceHacker.exe -open\r\n./builds/\u003cSTEALER_NAME\u003e.exe -save\r\n./builds/\u003cSTEALER_NAME\u003e.exe -action addskip\r\n-res ./resource/main.ico -mask\r\nICONGROUP,MAIN .\r\ndashboard/{id:\r\n[0-9]+}\r\nmain_productsHandler 0x14041D080\r\ndisplay the main window of the web service\r\ndisplays information about a specific victim ID:\r\nCookies, passwords, the Geolocation, and crypto\r\nwallet information. Logs are stored in ./logs/\r\nfolder contain passwords in passwords.txt ,\r\ncookies in folder Cookies . All the information is\r\nshown through the HTML template\r\n./gui/Dashboard.html\r\ndownload_geo main_StartWeb_func3 0x140422100\r\nretrieves the geolocation information, the same as\r\nthe new one.\r\ndownload_l main_StartWeb_func4 0x1404222A0\r\ngets the logs in a .zip archive, uncompresses it\r\nand deletes the archive. the logs contain all the\r\nstolen data\r\napi/get-log-build\r\nmain_StartWeb_func5 0x140422620\r\nget the build logs from ./logs associated with a\r\nspecific API key used\r\nbuild.exe main_StartWeb_func6 0x140422B60\r\ngets a build executable of the stealer stored at\r\n./builds\r\ndashboard main_StartWeb_func7 0x140422EA0 display the dashboard of the stealer, and shows\r\nsome statistics about the infected system. IPs,\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 25 of 30\n\nAPI APIHandler name\r\nAPIHandler\r\naddress\r\nDescription\r\ngeo-location and the stolen information\r\nloader main_StartWeb_func8 0x140422FE0\r\ndisplay information about the Loader and file\r\ngrabber. the threat actor can use this section to\r\nconfigure the loader and specify the target file to\r\ngrab. file ./config/telegram.txt is used to extract\r\nthe telegram connection configuration. The\r\ninformation is viewed by executing\r\ngui/Loader.html HTML template.\r\nsetting main_StartWeb_func9 0x1404234A0\r\nbuilder settings, display information about the\r\nsubscribed plan and change the password and\r\ntelegram configuration and API. and shows the\r\nused domains\r\nauth main_StartWeb_func10 0000000140423A40\r\nthe AUTH page that the user signs in to where the\r\nused credentials and AUTH cache file in\r\n./cache/AuthHash.Aurora are checked. Whenever\r\nthe user navigates, the credentials and hashes are\r\nchecked. if not valid, will be redirected to this\r\npage\r\nbuilder main_StartWeb_func11 0x140423CC0\r\ncreates a new build through it. the build target\r\narchitecture victims group is chosen.\r\nchecker main_StartWeb_func12 0x140424380\r\nchecks the wanted information from the victim\r\nDB. check the build used and get the geolocation\r\nof the victim specified.\r\nthen the server is started on port 80\r\nIn function main_AddNewClient , the victim entries on the data based are created by calling main_CreateDB data stored\r\nabout the user in UserInformation.txt :\r\nHWID\r\nBuild ID\r\nLog date\r\nIP\r\nCountry\r\nRegion\r\nCity\r\nPC INFORMATION\r\nCPU\r\nScreen Size\r\nScreen Size\r\nRAM\r\nDisplay Device (GPU)\r\nin addition to the stolen information the following credentials are received:\r\nSteam\r\nPasswords\r\ncookies\r\ncrypto wallets -stored in subdirectory /wallets\r\nTelegram info\r\nscreenshots\r\ngrabbed files -stored in subdirectory ./FileGrabber\r\nCards information\r\nBrowser cookies are stored in .db files in ./cache to be decrypted and the extracted data is stored in .txt file.\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 26 of 30\n\nThe end of the packet is checked by END_PACKET_ALL_SEND sentence. And the last packet sent to the victim is Thanks ,\r\nthen, the data are zipped and sent to the telegram account configured.\r\nThe function main_DecryptLog_Card is used to decrypt the credit card information collected. It uses the following sqlite3\r\nquery to achieve that:\r\n1 select name_on_card, expiration_month, expiration_year, card_number_encrypted, date_modified, use_date, use_count, nickname from\r\nYou can find screenshots of the HTML templates in this tweet.\r\nall the rules can be found here.\r\nnew builder version\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\nrule aurora_stealer_builder_new{\r\n meta:\r\n malware = \"Aurora stealer Builder new version 2023\"\r\n hash = \"ebd1368979b5adb9586ce512b63876985a497e1727ffbd54732cd42eef992b81\"\r\n reference = \"https://d01a.github.io/\"\r\n Author = \"d01a\"\r\n description = \"detect Aurora stealer Builder new version 2023\"\r\n strings:\r\n $is_go = \"Go build\" ascii\r\n $s1 = \"_Aurora_2023_Technology_\" ascii\r\n $s2 = \"AURORA_TECHNOLOGY\" ascii\r\n $s3 = \"scr_n_f.png\" ascii\r\n $s4 = \"EXTERNAL_RUN_PE_X64\" ascii\r\n $s5 = \"[Aurora]\" ascii //log messages begin with [Aurora] __LOGMSG__\r\n $fun1 = \"main.Server\" ascii\r\n $fun2 = \"main.GetAcess\" ascii\r\n $fun3 = \"main.AddCommand\" ascii\r\n $fun4 = \"main.GetGeoList\" ascii\r\n $fun5 = \"main.GiveMeBuild\" ascii\r\n condition:\r\n uint16(0) == 0x5a4d and ( $is_go and (2 of ($s*)) and (2 of ($fun*)) )\r\n}\r\nold builder version\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\nrule aurora_stealer_builder_old{\r\n meta:\r\n malware = \"Aurora stealer Builder old version 2022\"\r\n hash1 = \"33fc61e81efa609df51277aef261623bb291e2dd5359362d50070f7a441df0ad\"\r\n reference = \"https://d01a.github.io/\"\r\n Author = \"d01a\"\r\n description = \"detect Aurora stealer Builder old version 2022\"\r\n strings:\r\n $is_go = \"Go build\" ascii\r\n $s1 = \"ATX.Aurora\" ascii\r\n $s2 = \"Aurora_Stealer_2033\" ascii\r\n $s3 = \"Aurora_Stealer_SERVER\" ascii\r\n $s4 = \"[Aurora Stealer]\" //log messages\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 27 of 30\n\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n $fun1 = \"main.DecryptLog\" ascii\r\n $fun2 = \"main.CreateDB\" ascii\r\n $fun3 = \"main.GenerateKey\" ascii\r\n $fun4 = \"main.TGParce\" ascii\r\n condition:\r\n uint16(0) == 0x5a4d and ( $is_go and (2 of ($s*)) and (2 of ($fun*)) )\r\n}\r\nebd1368979b5adb9586ce512b63876985a497e1727ffbd54732cd42eef992b81 aurora.exe (2023 version)\r\ne7aa0529d4412a8cee5c20c4b7c817337fabb1598b44efbf639f4a7dac4292ad builder archive (2023 version)\r\n33fc61e81efa609df51277aef261623bb291e2dd5359362d50070f7a441df0ad aurora.exe (2022 version)\r\n33b61eb5f84cb65f1744bd08d09ac2535fe5f9b087eef37826612b5016e21990 geo.Aurora\r\n1def6bdec3073990955e917f1da2339f1c18095d31cc12452b40da0bd8afd431 ds.html\r\nf1ba92ae32fcaeea8148298f4869aef9bcd4e85781586b69c83a830b213d3d3c statistic.html\r\n8b1abbb51594b6f1d4e4681204ed97371bd3d60f093e38b80b8035058116ef1d bot.html\r\ne9cf3e7d2826fa488e7803d0d19240a23f93a7f007d66377beb1849c5d51c0af commands.html\r\nd7829f17583b91fb1e8326e1c80c07fc29e0608f1ba836738d2c86df336ea771 rergister.html\r\n1b88624936d149ecdea6af9147ff8b2d8423125db511bdf1296401033c08b532 settings.html\r\n185.106.93.237:56763\r\nAurora server -version 2023- used in\r\nuser account verification\r\n185.106.93.237:6969\r\nAurora server -version 2022- used in\r\nuser account verification\r\nAuth.aurora\r\nlocally created for each Aurora panel\r\nuser and used in account verification\r\nscr_n_f.png contains config information\r\nscreenshot/\r\na local folder that contains victims’\r\nscreenshots\r\n\u003c*\u003e_ACTUAL.png\r\nscreenshot of current state of online\r\nbots\r\n\u003c\u003e_\u003c\u003e.png custom screenshots format\r\nThe following go files were identified in the binary, all starting with the path: “C:/Users/SixSixSix/Desktop/Botnet\r\n2023/26.01.2023/new/”\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\nauth.go\r\ncrypt.go\r\ncommand.go\r\ncompressor.go\r\ncore.go\r\ngeo.go\r\nmain.go\r\npfor.go\r\nport.go\r\nweb.go\r\ncore/statistics/window.go\r\ncore/statistics/winfuns.go\r\ncore/statistics/queue.go\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 28 of 30\n\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\ncore/monitor/monitor.go\r\ncore/common/copy.go\r\ncore/common/udpconn.go\r\ncore/common/util.go\r\ncore/logger/logger.go\r\ncore/schema/monitor.go\r\ncore/schema/util.go\r\ncore/server/client.go\r\ncore/server/client_handlers.go\r\ncore/server/server.go\r\ncore/server/server_handlers.go\r\nThere are similar files identified in the old version of the builder/panel.\r\nThe common path for this older sample is: “C:/Users/SixSixSix/Desktop/Aurora 2022/server”\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\nauth.go\r\ncompressor.go\r\nconfig.go\r\ncryptography.go\r\nfavicon.go\r\ngeo.go\r\ngui.go\r\nmain.go\r\nnotify.go\r\nother.go\r\nserver.go\r\ntelegram.go\r\nzip.go\r\nTo create the Yara rules, the following strings were used. Those are all present in the builder:\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n127.0.0.1:7273\r\nPOWR\r\nWORK\r\nPORT_FORWARD\r\nFTP_RUN - REVESRE START\r\n_*Aurora_2023_Technology_*\r\nAURORA_TECHNOLOGY\r\n./cache/Auth.aurora\r\n_ACTUAL\r\n./bots/screenshot/\r\n./core/scr_n_f.png\r\nEXTERNAL_RUN_PE_X64\r\n[Aurora] Botnet - SERVER - RUN\r\n- old sample.\r\n \r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 29 of 30\n\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n ./cache/Config.Aurora\r\n \r\n ./cache/Aurora.Aurora\r\n \r\n ./cache/telegram.Aurora\r\n \r\n ./cache/ATX.Aurora\r\n \r\n Aurora_Stealer_2033\r\n \r\n Aurora_Stealer_SERVER\r\n \r\n Aurora_Stealer_2022\r\n \r\n https://api.telegram.org/bot%s/%s\r\n \r\n ./cache/AuthHash.Aurora\r\n \r\n [Aurora Stealer]: Yes i am work!\r\n@gi7w0rm for providing me with the samples and helping me formatting the article to make it better.\r\nSource: https://d01a.github.io/aurora-stealer-builder/\r\nhttps://d01a.github.io/aurora-stealer-builder/\r\nPage 30 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://d01a.github.io/aurora-stealer-builder/"
	],
	"report_names": [
		"aurora-stealer-builder"
	],
	"threat_actors": [],
	"ts_created_at": 1775434917,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b97b14a6dbd47851784d9c874b2b4faa91955fe2.pdf",
		"text": "https://archive.orkl.eu/b97b14a6dbd47851784d9c874b2b4faa91955fe2.txt",
		"img": "https://archive.orkl.eu/b97b14a6dbd47851784d9c874b2b4faa91955fe2.jpg"
	}
}