Analysis Overview
SHA256
24b335b5bb52f65a242f90c1f10fe171a1a4b38214a192c387529aa69280ab60
Threat Level: Known bad
The file 24b335b5bb52f65a242f90c1f10fe171a1a4b38214a192c387529aa69280ab60.exe was found to be: Known bad.
Malicious Activity Summary
Taurus Stealer
Taurus Stealer Payload
Accesses 2FA software files, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-15 06:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-15 06:02
Reported
2021-05-15 06:05
Platform
win7v20210410
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses 2FA software files, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1748 set thread context of 1364 | N/A | C:\Users\Admin\AppData\Local\Temp\24b335b5bb52f65a242f90c1f10fe171a1a4b38214a192c387529aa69280ab60.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24b335b5bb52f65a242f90c1f10fe171a1a4b38214a192c387529aa69280ab60.exe
"C:\Users\Admin\AppData\Local\Temp\24b335b5bb52f65a242f90c1f10fe171a1a4b38214a192c387529aa69280ab60.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 51.195.70.170:80 | 51.195.70.170 | tcp |
Files
memory/1748-59-0x0000000000C20000-0x0000000000C21000-memory.dmp
memory/1748-61-0x0000000004E20000-0x0000000004E21000-memory.dmp
memory/1748-62-0x00000000005D0000-0x00000000005DE000-memory.dmp
memory/1748-63-0x0000000007E10000-0x0000000007EA0000-memory.dmp
memory/1748-64-0x0000000002180000-0x00000000021C8000-memory.dmp
memory/1364-65-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1364-66-0x000000000041EC63-mapping.dmp
memory/1364-67-0x00000000757E1000-0x00000000757E3000-memory.dmp
memory/1364-68-0x0000000000400000-0x000000000043A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-15 06:02
Reported
2021-05-15 06:05
Platform
win10v20210408
Max time kernel
130s
Max time network
155s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses 2FA software files, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 796 set thread context of 200 | N/A | C:\Users\Admin\AppData\Local\Temp\24b335b5bb52f65a242f90c1f10fe171a1a4b38214a192c387529aa69280ab60.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24b335b5bb52f65a242f90c1f10fe171a1a4b38214a192c387529aa69280ab60.exe
"C:\Users\Admin\AppData\Local\Temp\24b335b5bb52f65a242f90c1f10fe171a1a4b38214a192c387529aa69280ab60.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 51.195.70.170:80 | tcp | |
| N/A | 51.195.70.170:80 | tcp | |
| N/A | 51.195.70.170:80 | tcp | |
| N/A | 51.195.70.170:80 | tcp | |
| N/A | 51.195.70.170:80 | tcp |
Files
memory/796-114-0x00000000007E0000-0x00000000007E1000-memory.dmp
memory/796-116-0x0000000005780000-0x0000000005781000-memory.dmp
memory/796-117-0x00000000051A0000-0x00000000051A1000-memory.dmp
memory/796-118-0x0000000005100000-0x0000000005192000-memory.dmp
memory/796-119-0x0000000005190000-0x0000000005191000-memory.dmp
memory/796-120-0x00000000087F0000-0x00000000087F1000-memory.dmp
memory/796-121-0x0000000008700000-0x000000000870E000-memory.dmp
memory/796-122-0x00000000089B0000-0x0000000008A40000-memory.dmp
memory/796-123-0x000000000B170000-0x000000000B1B8000-memory.dmp
memory/200-124-0x0000000000400000-0x000000000043A000-memory.dmp
memory/200-125-0x000000000041EC63-mapping.dmp
memory/200-126-0x0000000000400000-0x000000000043A000-memory.dmp