msoffice_invoice1764727.doc

General
Target

msoffice_invoice1764727.doc

Size

97KB

Sample

200803-gexmw79xys

Score
10 /10
MD5

5d38f68c18e3d9557523b25ad3fe4a86

SHA1

a2c736b4bb06131dbb828c79711a1c7ec729d501

SHA256

eef4b50a6a9a4371bc70b9b79d033053f0419c8c216118a6b5046117e4d6e272

SHA512

4a6dcba8e2563f09dda60ac52dcda7f93e699f254a745d04ebbec57564e37371470e9d41473c2e33ad11256dea9f7a811810aeab1263a203048058c83a3f73f9

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://185.189.12.182/RLCOrLHeK.com

exe.dropper

http://185.189.12.182/FfvEZtUVUkHjw.com

exe.dropper

http://185.189.12.182/GUavFcvTh.com

Targets
Target

msoffice_invoice1764727.doc

MD5

5d38f68c18e3d9557523b25ad3fe4a86

Filesize

97KB

Score
10 /10
SHA1

a2c736b4bb06131dbb828c79711a1c7ec729d501

SHA256

eef4b50a6a9a4371bc70b9b79d033053f0419c8c216118a6b5046117e4d6e272

SHA512

4a6dcba8e2563f09dda60ac52dcda7f93e699f254a745d04ebbec57564e37371470e9d41473c2e33ad11256dea9f7a811810aeab1263a203048058c83a3f73f9

Tags

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Taurus Stealer

    Description

    Taurus is an infostealer first seen in June 2020.

    Tags

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      behavioral1

                      10/10

                      behavioral2

                      10/10