Analysis Overview
SHA256
0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1
Threat Level: Known bad
The file 0F1D580624CC7159B639BB65686EFBBA.exe was found to be: Known bad.
Malicious Activity Summary
Taurus Stealer
Taurus Stealer Payload
Deletes itself
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-30 18:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-30 18:32
Reported
2021-07-30 18:34
Platform
win7v20210408
Max time kernel
48s
Max time network
47s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 360 set thread context of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe | C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
"C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe"
C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
"C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe"
C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
"C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe"
C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 3
Network
| Country | Destination | Domain | Proto |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
Files
memory/360-60-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/360-62-0x00000000005C0000-0x0000000000602000-memory.dmp
memory/360-63-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
memory/1324-64-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1324-65-0x000000000041E9F1-mapping.dmp
memory/1324-66-0x0000000075451000-0x0000000075453000-memory.dmp
memory/1324-67-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1124-68-0x0000000000000000-mapping.dmp
memory/1956-69-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-30 18:32
Reported
2021-07-30 18:34
Platform
win10v20210410
Max time kernel
15s
Max time network
152s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3984 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe | C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
"C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe"
C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
"C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe"
C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 3
Network
| Country | Destination | Domain | Proto |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
Files
memory/3984-114-0x00000000006D0000-0x00000000006D1000-memory.dmp
memory/3984-116-0x0000000005100000-0x0000000005101000-memory.dmp
memory/3984-117-0x0000000002C20000-0x0000000002C62000-memory.dmp
memory/3984-118-0x0000000005A00000-0x0000000005A01000-memory.dmp
memory/3984-119-0x0000000005260000-0x0000000005261000-memory.dmp
memory/2680-120-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2680-121-0x000000000041E9F1-mapping.dmp
memory/2680-122-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3052-123-0x0000000000000000-mapping.dmp
memory/3676-124-0x0000000000000000-mapping.dmp