General
-
Target
info.txt.js
-
Size
3KB
-
Sample
210928-gm2nmaagbn
-
MD5
a7d8a48297c4927fd6d9fa9bfd224871
-
SHA1
07f40176246032463687f71e63bfbf42276f95b3
-
SHA256
7f99624842278a1f965ff411dc0efe4c26b1bb2d22099ab7fc87f5d8508b0413
-
SHA512
9971a6e9c33fbcc13f47b6025f876b7dded0406c389e5e014f210173c55ccd4f2eccab293c34527204d7572e04ed83afee406bfe8049cb89d1adc97145144a2d
Static task
static1
Behavioral task
behavioral1
Sample
info.txt.js
Resource
win7-en-20210920
Malware Config
Targets
-
-
Target
info.txt.js
-
Size
3KB
-
MD5
a7d8a48297c4927fd6d9fa9bfd224871
-
SHA1
07f40176246032463687f71e63bfbf42276f95b3
-
SHA256
7f99624842278a1f965ff411dc0efe4c26b1bb2d22099ab7fc87f5d8508b0413
-
SHA512
9971a6e9c33fbcc13f47b6025f876b7dded0406c389e5e014f210173c55ccd4f2eccab293c34527204d7572e04ed83afee406bfe8049cb89d1adc97145144a2d
-
Taurus Stealer Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-