Analysis Overview
SHA256
4f2c35eb6899ef553b92798363fd8f6c25c8b4eef4218e204910614638aa2ffb
Threat Level: Known bad
The file 4F2C35EB6899EF553B92798363FD8F6C25C8B4EEF4218.exe was found to be: Known bad.
Malicious Activity Summary
Taurus Stealer
Taurus Stealer Payload
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-13 09:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-13 09:40
Reported
2021-05-13 12:04
Platform
win7v20210408
Max time kernel
146s
Max time network
180s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Processes
C:\Users\Admin\AppData\Local\Temp\4F2C35EB6899EF553B92798363FD8F6C25C8B4EEF4218.exe
"C:\Users\Admin\AppData\Local\Temp\4F2C35EB6899EF553B92798363FD8F6C25C8B4EEF4218.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
Files
memory/1956-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmp
memory/1956-61-0x00000000003A0000-0x00000000003D8000-memory.dmp
memory/1956-62-0x0000000000400000-0x000000000179F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-13 09:40
Reported
2021-05-13 12:04
Platform
win10v20210408
Max time kernel
42s
Max time network
52s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 852 wrote to memory of 412 | N/A | C:\Users\Admin\AppData\Local\Temp\4F2C35EB6899EF553B92798363FD8F6C25C8B4EEF4218.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 852 wrote to memory of 412 | N/A | C:\Users\Admin\AppData\Local\Temp\4F2C35EB6899EF553B92798363FD8F6C25C8B4EEF4218.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 852 wrote to memory of 412 | N/A | C:\Users\Admin\AppData\Local\Temp\4F2C35EB6899EF553B92798363FD8F6C25C8B4EEF4218.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 412 wrote to memory of 2000 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 412 wrote to memory of 2000 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 412 wrote to memory of 2000 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4F2C35EB6899EF553B92798363FD8F6C25C8B4EEF4218.exe
"C:\Users\Admin\AppData\Local\Temp\4F2C35EB6899EF553B92798363FD8F6C25C8B4EEF4218.exe"
C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\4F2C35EB6899EF553B92798363FD8F6C25C8B4EEF4218.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 3
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
| N/A | 8.8.8.8:53 | chakazi.xyz | udp |
Files
memory/852-114-0x00000000017A0000-0x00000000018EA000-memory.dmp
memory/852-115-0x0000000000400000-0x000000000179F000-memory.dmp
memory/412-116-0x0000000000000000-mapping.dmp
memory/2000-117-0x0000000000000000-mapping.dmp