taurus_stealer | 5aac756ea6972d035e0d7c5d33867a621aef20e723e30eb57af2b42c05233964

General

Target

9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe
Size

291KB
MD5

ce29efcf5510c0a9dcb38f62d50a5e8b
SHA1

eb9a28d284303663ab5bbbab9e8cc7db88cf7a2f
SHA256

9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e
SHA512

dee3945c894c586f1a4d42581796e1ce257cc5ec8a98368de391d664328ac7318163aff9edcd5eac9b9ab4c3b3407c2448add2d07b3863a74f513bf0541a77aa

Score

10^/10

taurus_stealer discovery spyware stealer trojan

Malware Config

Signatures

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus_stealer

Deletes itself 1 IoCs

pid	Process
1956	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 1736	2004	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	29

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1648	timeout.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1736	2004	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	29
PID 2004 wrote to memory of 1736	2004	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	29
PID 2004 wrote to memory of 1736	2004	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	29
PID 2004 wrote to memory of 1736	2004	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	29
PID 2004 wrote to memory of 1736	2004	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	29
PID 2004 wrote to memory of 1736	2004	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	29
PID 2004 wrote to memory of 1736	2004	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	29
PID 2004 wrote to memory of 1736	2004	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	29
PID 2004 wrote to memory of 1736	2004	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	29
PID 2004 wrote to memory of 1736	2004	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	29
PID 1736 wrote to memory of 1956	1736	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	32
PID 1736 wrote to memory of 1956	1736	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	32
PID 1736 wrote to memory of 1956	1736	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	32
PID 1736 wrote to memory of 1956	1736	9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe	32
PID 1956 wrote to memory of 1648	1956	cmd.exe	34
PID 1956 wrote to memory of 1648	1956	cmd.exe	34
PID 1956 wrote to memory of 1648	1956	cmd.exe	34
PID 1956 wrote to memory of 1648	1956	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe
"C:\Users\Admin\AppData\Local\Temp\9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe
  "C:\Users\Admin\AppData\Local\Temp\9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\9bec30afd640d68be28fef4e6b5abcc14d90b2c7293d7709619b8f9b9e685b7e.exe
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/796-6-0x000007FEF7B20000-0x000007FEF7D9A000-memory.dmp

Filesize
2.5MB

Download
memory/1736-3-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1736-5-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1736-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2004-2-0x00000000030A0000-0x00000000030B1000-memory.dmp

Filesize
68KB

Download
memory/2004-7-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing