Analysis Overview
SHA256
0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1
Threat Level: Known bad
The file 0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe was found to be: Known bad.
Malicious Activity Summary
Taurus Stealer
Taurus Stealer Payload
Deletes itself
Reads user/profile data of web browsers
Checks installed software on the system
Accesses 2FA software files, possible credential harvesting
Suspicious use of SetThreadContext
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-31 06:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-31 06:05
Reported
2021-07-31 06:08
Platform
win7v20210408
Max time kernel
41s
Max time network
67s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1844 set thread context of 108 | N/A | C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe | C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe
"C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe"
C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe
"C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe"
C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 3
Network
| Country | Destination | Domain | Proto |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
Files
memory/1844-59-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
memory/1844-61-0x00000000005B0000-0x00000000005F2000-memory.dmp
memory/1844-62-0x0000000000C40000-0x0000000000C41000-memory.dmp
memory/108-63-0x0000000000400000-0x000000000043B000-memory.dmp
memory/108-64-0x000000000041E9F1-mapping.dmp
memory/108-65-0x0000000075D51000-0x0000000075D53000-memory.dmp
memory/108-66-0x0000000000400000-0x000000000043B000-memory.dmp
memory/896-67-0x0000000000000000-mapping.dmp
memory/1660-68-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-31 06:05
Reported
2021-07-31 06:07
Platform
win10v20210410
Max time kernel
16s
Max time network
115s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3956 set thread context of 1172 | N/A | C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe | C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe
"C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe"
C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe
"C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe"
C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\0e362e064fca6127dff2f0b52d55343494ed661e54aafad7ee923545974ec2e1.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 3
Network
| Country | Destination | Domain | Proto |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
| N/A | 95.181.157.82:80 | 95.181.157.82 | tcp |
Files
memory/3956-114-0x0000000000F70000-0x0000000000F71000-memory.dmp
memory/3956-116-0x0000000005840000-0x0000000005841000-memory.dmp
memory/3956-117-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/3956-118-0x00000000057A0000-0x00000000057E2000-memory.dmp
memory/3956-119-0x0000000006190000-0x0000000006191000-memory.dmp
memory/1172-120-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1172-121-0x000000000041E9F1-mapping.dmp
memory/1172-122-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1320-123-0x0000000000000000-mapping.dmp
memory/1240-124-0x0000000000000000-mapping.dmp