taurus_stealer | ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42

Analysis

max time kernel
50s
max time network
58s
platform
windows7_x64
resource
win7v200722
submitted
23-07-2020 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KY6mW.exe
Size

940KB
MD5

91465c291a92591087e70caa0d4c3370
SHA1

345fba0f611a59ddd30a8c87f793a80fbf82c50e
SHA256

ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
SHA512

d39d5256b4db45e8a5901a96341e2ca8e5f3dafa2b426227a1fe76f6268f8b2ca59a2c5ce332ea2f70a15287ae9a2703ca52c22dacd8beed54e0786f2b70a762

Score

10^/10

taurus_stealer persistence spyware stealer trojan

Malware Config

Signatures

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus_stealer
Executes dropped EXE 2 IoCs

Processes:

smss.comsmss.com

pid process

824 smss.com
380 smss.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exesmss.com

pid process

1288 cmd.exe
824 smss.com
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
824	smss.com
380	smss.com

pid	process
1288	cmd.exe
824	smss.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KY6mW.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	KY6mW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	KY6mW.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

smss.com

description pid process target process

PID 380 set thread context of 1520 380 smss.com TapiUnattend.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1640 PING.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

smss.com

pid process

380 smss.com
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

smss.comsmss.com

pid process

824 smss.com
824 smss.com
824 smss.com
380 smss.com
380 smss.com
380 smss.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

smss.comsmss.com

pid process

824 smss.com
824 smss.com
824 smss.com
380 smss.com
380 smss.com
380 smss.com

description	pid	process	target process
PID 380 set thread context of 1520	380	smss.com	TapiUnattend.exe

pid	process
1640	PING.EXE

pid	process
380	smss.com

pid	process
824	smss.com
824	smss.com
824	smss.com
380	smss.com
380	smss.com
380	smss.com

pid	process
824	smss.com
824	smss.com
824	smss.com
380	smss.com
380	smss.com
380	smss.com

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

KY6mW.execmd.exesmss.comsmss.com

description	pid	process	target process
PID 1244 wrote to memory of 1288	1244	KY6mW.exe	cmd.exe
PID 1244 wrote to memory of 1288	1244	KY6mW.exe	cmd.exe
PID 1244 wrote to memory of 1288	1244	KY6mW.exe	cmd.exe
PID 1244 wrote to memory of 1288	1244	KY6mW.exe	cmd.exe
PID 1244 wrote to memory of 1288	1244	KY6mW.exe	cmd.exe
PID 1244 wrote to memory of 1288	1244	KY6mW.exe	cmd.exe
PID 1244 wrote to memory of 1288	1244	KY6mW.exe	cmd.exe
PID 1288 wrote to memory of 1452	1288	cmd.exe	cmd.exe
PID 1288 wrote to memory of 1452	1288	cmd.exe	cmd.exe
PID 1288 wrote to memory of 1452	1288	cmd.exe	cmd.exe
PID 1288 wrote to memory of 1452	1288	cmd.exe	cmd.exe
PID 1288 wrote to memory of 1452	1288	cmd.exe	cmd.exe
PID 1288 wrote to memory of 1452	1288	cmd.exe	cmd.exe
PID 1288 wrote to memory of 1452	1288	cmd.exe	cmd.exe
PID 1288 wrote to memory of 1508	1288	cmd.exe	certutil.exe
PID 1288 wrote to memory of 1508	1288	cmd.exe	certutil.exe
PID 1288 wrote to memory of 1508	1288	cmd.exe	certutil.exe
PID 1288 wrote to memory of 1508	1288	cmd.exe	certutil.exe
PID 1288 wrote to memory of 1508	1288	cmd.exe	certutil.exe
PID 1288 wrote to memory of 1508	1288	cmd.exe	certutil.exe
PID 1288 wrote to memory of 1508	1288	cmd.exe	certutil.exe
PID 1288 wrote to memory of 824	1288	cmd.exe	smss.com
PID 1288 wrote to memory of 824	1288	cmd.exe	smss.com
PID 1288 wrote to memory of 824	1288	cmd.exe	smss.com
PID 1288 wrote to memory of 824	1288	cmd.exe	smss.com
PID 1288 wrote to memory of 824	1288	cmd.exe	smss.com
PID 1288 wrote to memory of 824	1288	cmd.exe	smss.com
PID 1288 wrote to memory of 824	1288	cmd.exe	smss.com
PID 824 wrote to memory of 380	824	smss.com	smss.com
PID 824 wrote to memory of 380	824	smss.com	smss.com
PID 824 wrote to memory of 380	824	smss.com	smss.com
PID 824 wrote to memory of 380	824	smss.com	smss.com
PID 824 wrote to memory of 380	824	smss.com	smss.com
PID 824 wrote to memory of 380	824	smss.com	smss.com
PID 824 wrote to memory of 380	824	smss.com	smss.com
PID 1288 wrote to memory of 1640	1288	cmd.exe	PING.EXE
PID 1288 wrote to memory of 1640	1288	cmd.exe	PING.EXE
PID 1288 wrote to memory of 1640	1288	cmd.exe	PING.EXE
PID 1288 wrote to memory of 1640	1288	cmd.exe	PING.EXE
PID 1288 wrote to memory of 1640	1288	cmd.exe	PING.EXE
PID 1288 wrote to memory of 1640	1288	cmd.exe	PING.EXE
PID 1288 wrote to memory of 1640	1288	cmd.exe	PING.EXE
PID 380 wrote to memory of 1520	380	smss.com	TapiUnattend.exe
PID 380 wrote to memory of 1520	380	smss.com	TapiUnattend.exe
PID 380 wrote to memory of 1520	380	smss.com	TapiUnattend.exe
PID 380 wrote to memory of 1520	380	smss.com	TapiUnattend.exe
PID 380 wrote to memory of 1520	380	smss.com	TapiUnattend.exe
PID 380 wrote to memory of 1520	380	smss.com	TapiUnattend.exe
PID 380 wrote to memory of 1520	380	smss.com	TapiUnattend.exe
PID 380 wrote to memory of 1520	380	smss.com	TapiUnattend.exe

C:\Users\Admin\AppData\Local\Temp\KY6mW.exe
"C:\Users\Admin\AppData\Local\Temp\KY6mW.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c MenJA.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c if NOT UCQFZDUI == DESKTOP-QO5QU33 set /p ="M"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode RJar.com V
    3⤵
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
    smss.com V
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com V
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:380
    - - C:\Windows\SysWOW64\TapiUnattend.exe
        
        "C:\Windows\SysWOW64\TapiUnattend.exe"
        5⤵
        
        PID:1520
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IZklY.com

MD5
41314d6909f6045c052e4166054cac9f

SHA1
05a81405a7d420d2c0fda62320b07e82d0322ab2

SHA256
92c39fd5aa85b5791cd5fe18e402f30c1c048bf89b39c6eaba89686a17d89c29

SHA512
dbb7786ab37d6762a2b317c88c91a625c73b4b37334728cf849b893ec0cfeb7c9148a614824789391bc58179fd968a3be0dc0febff38c0eccce688357e6682b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MenJA.bat

MD5
d24f54fd7b07292f5efde4e24838660c

SHA1
3b28c4779043c3c1c84415f0dc4d7dea1bf51e37

SHA256
3227a4c8a1f95b6f176d83ced9b6cb8668682c5f8dc5b1b40a43291144f47ef1

SHA512
a1119e98d485b59bc3c5974b030a02c6c01ab515f79b989b223deb17b0309689ac513de344314b22e5c10044f234880c6c266dc8c26de88a741833f70cb8b2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RJar.com

MD5
1fdadf5f230b5d4102ed360df14602a5

SHA1
c26e23f93811c48d5866267167208b3fb2f598cf

SHA256
d703fa1905478b50838df074b2f739abccf63a3bc32d972a6cc5a4c1d0871013

SHA512
6f745546255e70366d18c363ece46be6f5f8de7bc2b43fc23d602120e1214b6bc5c7665ee819346f56765c0758f9c33209f5421dc9fac3c31102fa10afbf2a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\V

MD5
e34f26c78aca81e89d971fefc0a3e61b

SHA1
3d41b36940b5d40c9e04c97e6ce43b0054571ce3

SHA256
b0beb02d1997584598a110fa00cfc19434c162d2c205281e7806963bece32146

SHA512
ddb7b9b9e885a2fdbb6fb43e74e2826dac2c43a957cb24ee34ca24c21aab25f3a3cacc5c7c0169d9020b1c821da5016264325905b3428a1160818742f25ec7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kZfZB.com

MD5
df6fbc5de331f39be67e2b343ff02083

SHA1
2791147f5aba7d5242d531f0444695b9fecb3c42

SHA256
ccefe3c453a32c04dd03e835879aceae0b96e7d25359dc05a8cfa7a880c21936

SHA512
35e1b55975104e9ddf24fc2842848f63c954f6e69bf8a4df370caaad43ff01f259fbd4e96e45bcbd2287192551afa3df5f9ad8726a3331d80a9c53fa558bf8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/380-12-0x0000000000000000-mapping.dmp

Download
memory/824-7-0x0000000000000000-mapping.dmp

Download
memory/1288-0-0x0000000000000000-mapping.dmp

Download
memory/1452-2-0x0000000000000000-mapping.dmp

Download
memory/1508-4-0x0000000000000000-mapping.dmp

Download
memory/1520-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-17-0x0000000000425A34-mapping.dmp

Download
memory/1520-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-15-0x0000000000000000-mapping.dmp

Download