Windows Analysis Report
Aura.exe

Overview

General Information

Sample name: Aura.exe
Analysis ID: 1543669
MD5: d4c99337bc1f8e9ba7c0cf81dd01c39d
SHA1: e34e7fc7d3f41fe73dc5735b9ee7ed41f198543f
SHA256: 714d338600b157fe68e58271223bc1387e1e63f8c3511e4e76faa774269e30a6
Tags: exeuser-4k95m
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Found potential dummy code loops (likely to delay analysis)
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Aura.exe ReversingLabs: Detection: 23%
Uses 32bit PE files
Source: Aura.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Aura.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02C008E3 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_02C008E3
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Aura.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_00615FC0 0_2_00615FC0
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_00073040 0_2_00073040
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02C173EC 0_2_02C173EC
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF43DF 0_2_02BF43DF
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF3320 0_2_02BF3320
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF4080 0_2_02BF4080
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02C11060 0_2_02C11060
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF51FC 0_2_02BF51FC
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02C106E0 0_2_02C106E0
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BD2689 0_2_02BD2689
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BFD62E 0_2_02BFD62E
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF3671 0_2_02BF3671
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF473D 0_2_02BF473D
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF55FF 0_2_02BF55FF
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF4AAA 0_2_02BF4AAA
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF39B3 0_2_02BF39B3
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF4E08 0_2_02BF4E08
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF2FDE 0_2_02BF2FDE
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02C10C10 0_2_02C10C10
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BF3D12 0_2_02BF3D12
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_032302D9 0_2_032302D9
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_0322F769 0_2_0322F769
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_03243439 0_2_03243439
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Aura.exe Code function: String function: 02BD2400 appears 48 times
PE / OLE file has an invalid certificate
Source: Aura.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: Aura.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: Aura.exe, 00000000.00000002.4198306856.00000000008AA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameGypsite.exe0 vs Aura.exe
Uses 32bit PE files
Source: Aura.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal52.evad.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: Aura.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Aura.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Aura.exe ReversingLabs: Detection: 23%
Source: Aura.exe String found in binary or memory: kelxU/Add0J82/ih1W
Source: unknown Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Aura.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: iphlpapi.dll Jump to behavior
Source: Aura.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Aura.exe Static file information: File size 9910848 > 1048576
Source: Aura.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x627800
Source: Aura.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1c7600
Source: Aura.exe Static PE information: Raw size of .reloc is bigger than: 0x100000 < 0x117600
Source: Aura.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Aura.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Aura.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Aura.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Aura.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Aura.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Aura.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Aura.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Aura.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Aura.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Aura.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Aura.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Aura.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BED0F0 pushfd ; retn 0001h 0_2_02BED0F3
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BD80CF push edi; ret 0_2_02BD80D8
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BD2450 push ecx; ret 0_2_02BD2463
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02C18E1B push ecx; ret 0_2_02C18E2E
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_030D2BE7 push BA00000Dh; retf 0045h 0_2_030D2BEC
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_030D4A0B push ecx; ret 0_2_030D4A0E
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_030D2667 push BA00000Bh; retf 0045h 0_2_030D266C
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Aura.exe API coverage: 2.0 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02C008E3 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_02C008E3
Source: Aura.exe, 00000000.00000000.1736682099.0000000000679000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: 0bFFEavMX868V1V
Source: Aura.exe Binary or memory string: 7xe0UmVMCiEVpz69WTVnv/v
Source: Aura.exe, 00000000.00000002.4198269188.000000000085A000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: ME55ko1LvmcIW74D5zFCUY

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Aura.exe Process Stats: CPU usage > 42% for more than 60s
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BD21A6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_02BD21A6
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_030D0225 mov eax, dword ptr fs:[00000030h] 0_2_030D0225
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BD10B0 GetProcessHeap,RtlAllocateHeap, 0_2_02BD10B0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BD2336 SetUnhandledExceptionFilter, 0_2_02BD2336
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BD21A6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_02BD21A6
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BFF6A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_02BFF6A6
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_02BD29D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_02BD29D0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Aura.exe Code function: EnumSystemLocalesW, 0_2_02C0725D
Source: C:\Users\user\Desktop\Aura.exe Code function: EnumSystemLocalesW, 0_2_02C070BE
Source: C:\Users\user\Desktop\Aura.exe Code function: EnumSystemLocalesW, 0_2_02C067D4
Source: C:\Users\user\Desktop\Aura.exe Code function: GetLocaleInfoW, 0_2_02C07BA4
Source: C:\Users\user\Desktop\Aura.exe Code function: GetLocaleInfoW, 0_2_02C06BB6
Source: C:\Users\user\Desktop\Aura.exe Code function: EnumSystemLocalesW, 0_2_02C068D8
Source: C:\Users\user\Desktop\Aura.exe Code function: EnumSystemLocalesW, 0_2_02C0683D
Source: C:\Users\user\Desktop\Aura.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_02C06963
Source: C:\Users\user\Desktop\Aura.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_02C06EBB
Source: C:\Users\user\Desktop\Aura.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_02C06CDF
Source: C:\Users\user\Desktop\Aura.exe Code function: GetLocaleInfoW, 0_2_02C06DE5
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_0062F4BD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0062F4BD
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543669 Sample: Aura.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 52 11 Multi AV Scanner detection for submitted file 2->11 6 Aura.exe 1 2->6         started        process3 signatures4 13 Found potential dummy code loops (likely to delay analysis) 6->13 9 conhost.exe 6->9         started        process5
No contacted IP infos