Analysis Overview
SHA256
0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1
Threat Level: Known bad
The file 0F1D580624CC7159B639BB65686EFBBA.exe was found to be: Known bad.
Malicious Activity Summary
Taurus Stealer Payload
Taurus Stealer
Deletes itself
Reads user/profile data of web browsers
Checks installed software on the system
Accesses 2FA software files, possible credential harvesting
Suspicious use of SetThreadContext
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-30 19:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-30 19:04
Reported
2021-07-30 19:07
Platform
win7v20210408
Max time kernel
43s
Max time network
77s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1936 set thread context of 460 | N/A | C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe | C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
"C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe"
C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
"C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe"
C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 3
Network
| Country | Destination | Domain | Proto |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
Files
memory/1936-60-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/1936-62-0x0000000000A70000-0x0000000000AB2000-memory.dmp
memory/1936-63-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/460-64-0x0000000000400000-0x000000000043B000-memory.dmp
memory/460-65-0x000000000041E9F1-mapping.dmp
memory/460-66-0x0000000075201000-0x0000000075203000-memory.dmp
memory/460-67-0x0000000000400000-0x000000000043B000-memory.dmp
memory/400-68-0x0000000000000000-mapping.dmp
memory/1672-69-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-30 19:04
Reported
2021-07-30 19:06
Platform
win10v20210410
Max time kernel
15s
Max time network
152s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2752 set thread context of 680 | N/A | C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe | C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
"C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe"
C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
"C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe"
C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\0F1D580624CC7159B639BB65686EFBBA.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 3
Network
| Country | Destination | Domain | Proto |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
Files
memory/2752-114-0x0000000000CE0000-0x0000000000CE1000-memory.dmp
memory/2752-116-0x0000000005670000-0x0000000005671000-memory.dmp
memory/2752-117-0x00000000055D0000-0x0000000005612000-memory.dmp
memory/2752-118-0x0000000005F70000-0x0000000005F71000-memory.dmp
memory/2752-119-0x00000000058A0000-0x00000000058A1000-memory.dmp
memory/680-120-0x0000000000400000-0x000000000043B000-memory.dmp
memory/680-121-0x000000000041E9F1-mapping.dmp
memory/680-122-0x0000000000400000-0x000000000043B000-memory.dmp
memory/412-123-0x0000000000000000-mapping.dmp
memory/1288-124-0x0000000000000000-mapping.dmp