Analysis
-
max time kernel
43s -
max time network
68s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 13:05
Static task
static1
Behavioral task
behavioral1
Sample
2bc33.exe
Resource
win7v20210408
0 signatures
0 seconds
General
-
Target
2bc33.exe
-
Size
354KB
-
MD5
56405ac1aada433e5134304744981cee
-
SHA1
d03df32535bd469e4dd5033d0fe8785c4b23ee91
-
SHA256
2bc33396eeb4553f5c5187d16d426d71bc7156c9bcc7c7fd7bce43b29447e6ab
-
SHA512
9c7aa5303dd38a0424533f474d271b658e2f7b614f804e0e3fd1489980a2d320e6a92f20c4ea28349763957004c7bd48ba8d088df6955fe68902c76da7ddabdc
Malware Config
Signatures
-
Taurus Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1240-61-0x0000000000220000-0x0000000000258000-memory.dmp family_taurus_stealer behavioral1/memory/1240-62-0x0000000000400000-0x0000000000851000-memory.dmp family_taurus_stealer -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 864 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1848 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2bc33.execmd.exedescription pid process target process PID 1240 wrote to memory of 864 1240 2bc33.exe cmd.exe PID 1240 wrote to memory of 864 1240 2bc33.exe cmd.exe PID 1240 wrote to memory of 864 1240 2bc33.exe cmd.exe PID 1240 wrote to memory of 864 1240 2bc33.exe cmd.exe PID 864 wrote to memory of 1848 864 cmd.exe timeout.exe PID 864 wrote to memory of 1848 864 cmd.exe timeout.exe PID 864 wrote to memory of 1848 864 cmd.exe timeout.exe PID 864 wrote to memory of 1848 864 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bc33.exe"C:\Users\Admin\AppData\Local\Temp\2bc33.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\2bc33.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:1848