General

  • Target

    info.txt.js

  • Size

    3KB

  • Sample

    210928-gm2nmaagbn

  • MD5

    a7d8a48297c4927fd6d9fa9bfd224871

  • SHA1

    07f40176246032463687f71e63bfbf42276f95b3

  • SHA256

    7f99624842278a1f965ff411dc0efe4c26b1bb2d22099ab7fc87f5d8508b0413

  • SHA512

    9971a6e9c33fbcc13f47b6025f876b7dded0406c389e5e014f210173c55ccd4f2eccab293c34527204d7572e04ed83afee406bfe8049cb89d1adc97145144a2d

Malware Config

Targets

    • Target

      info.txt.js

    • Size

      3KB

    • MD5

      a7d8a48297c4927fd6d9fa9bfd224871

    • SHA1

      07f40176246032463687f71e63bfbf42276f95b3

    • SHA256

      7f99624842278a1f965ff411dc0efe4c26b1bb2d22099ab7fc87f5d8508b0413

    • SHA512

      9971a6e9c33fbcc13f47b6025f876b7dded0406c389e5e014f210173c55ccd4f2eccab293c34527204d7572e04ed83afee406bfe8049cb89d1adc97145144a2d

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • Taurus Stealer Payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks