General

  • Target

    80e1a8d742af3e917125d6a832f192e0

  • Size

    761KB

  • Sample

    211018-l1t8xsdda8

  • MD5

    80e1a8d742af3e917125d6a832f192e0

  • SHA1

    0ff5a3db02e5423b59ea3fc38f40e96ea7e433af

  • SHA256

    be1ea1e4432bc2dd5531c026722fcb05b673f894c7cb72ca707f177acaa278cd

  • SHA512

    2ea2610f0c6dd4a050377c59793726798f2648d18735b9cb04babf0090393fad7d48960a28e1314c31091dae6346b50b9b74e8515910f32a3c4e503250aa5a9b

Malware Config

Targets

    • Target

      80e1a8d742af3e917125d6a832f192e0

    • Size

      761KB

    • MD5

      80e1a8d742af3e917125d6a832f192e0

    • SHA1

      0ff5a3db02e5423b59ea3fc38f40e96ea7e433af

    • SHA256

      be1ea1e4432bc2dd5531c026722fcb05b673f894c7cb72ca707f177acaa278cd

    • SHA512

      2ea2610f0c6dd4a050377c59793726798f2648d18735b9cb04babf0090393fad7d48960a28e1314c31091dae6346b50b9b74e8515910f32a3c4e503250aa5a9b

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • Taurus Stealer Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Accesses 2FA software files, possible credential harvesting

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks