Malware Analysis Report

2024-10-23 17:13

Sample ID 210615-l8l5rd8936
Target 79df2c0e7e331b3baa2dd5a241cbf05986f2482e8024e26a3362afdd790e94cf
SHA256 79df2c0e7e331b3baa2dd5a241cbf05986f2482e8024e26a3362afdd790e94cf
Tags
taurus discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79df2c0e7e331b3baa2dd5a241cbf05986f2482e8024e26a3362afdd790e94cf

Threat Level: Known bad

The file 79df2c0e7e331b3baa2dd5a241cbf05986f2482e8024e26a3362afdd790e94cf was found to be: Known bad.

Malicious Activity Summary

taurus discovery spyware stealer trojan

Taurus Stealer

Taurus Stealer Payload

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-06-15 14:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-06-15 14:49

Reported

2021-06-15 14:51

Platform

win7v20210408

Max time kernel

43s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79df2c0e7e331b3baa2dd5a241cbf05986f2482e8024e26a3362afdd790e94cf.exe"

Signatures

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\79df2c0e7e331b3baa2dd5a241cbf05986f2482e8024e26a3362afdd790e94cf.exe

"C:\Users\Admin\AppData\Local\Temp\79df2c0e7e331b3baa2dd5a241cbf05986f2482e8024e26a3362afdd790e94cf.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 xixteam.xyz udp
N/A 104.21.74.189:443 xixteam.xyz tcp

Files

memory/940-59-0x0000000000220000-0x0000000000258000-memory.dmp

memory/940-60-0x0000000000400000-0x0000000000C2A000-memory.dmp

memory/940-61-0x0000000075051000-0x0000000075053000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-06-15 14:49

Reported

2021-06-15 14:51

Platform

win10v20210408

Max time kernel

69s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79df2c0e7e331b3baa2dd5a241cbf05986f2482e8024e26a3362afdd790e94cf.exe"

Signatures

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\79df2c0e7e331b3baa2dd5a241cbf05986f2482e8024e26a3362afdd790e94cf.exe

"C:\Users\Admin\AppData\Local\Temp\79df2c0e7e331b3baa2dd5a241cbf05986f2482e8024e26a3362afdd790e94cf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1672

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 xixteam.xyz udp
N/A 104.21.74.189:443 xixteam.xyz tcp

Files

memory/3164-114-0x0000000000DC0000-0x0000000000DF8000-memory.dmp

memory/3164-115-0x0000000000400000-0x0000000000C2A000-memory.dmp