Analysis
-
max time kernel
146s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18-10-2021 10:00
Static task
static1
Behavioral task
behavioral1
Sample
dab8845fdec7b9c436287f8bdcaf516d.exe
Resource
win7-en-20211014
0 signatures
0 seconds
General
-
Target
dab8845fdec7b9c436287f8bdcaf516d.exe
-
Size
1.6MB
-
MD5
dab8845fdec7b9c436287f8bdcaf516d
-
SHA1
af9683f4f13c131a027e47683d202eeb502e54ef
-
SHA256
ae6a91cfb49c616fe12f1f8a6212728700f6954ce06d09b9b668dfdd102ff1f3
-
SHA512
dd304f8c5c66c020b003aae40f8c084fc4874e8a3afb4297e183b08e49e46f261274f6d31157791db0267a7c02a992e4e70a61df51873f937e1d1d624dae8f73
Malware Config
Signatures
-
Taurus Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/356-124-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral2/memory/356-125-0x000000000041EC63-mapping.dmp family_taurus_stealer behavioral2/memory/356-126-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dab8845fdec7b9c436287f8bdcaf516d.exedescription pid process target process PID 2384 set thread context of 356 2384 dab8845fdec7b9c436287f8bdcaf516d.exe RegSvcs.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
dab8845fdec7b9c436287f8bdcaf516d.exedescription pid process target process PID 2384 wrote to memory of 356 2384 dab8845fdec7b9c436287f8bdcaf516d.exe RegSvcs.exe PID 2384 wrote to memory of 356 2384 dab8845fdec7b9c436287f8bdcaf516d.exe RegSvcs.exe PID 2384 wrote to memory of 356 2384 dab8845fdec7b9c436287f8bdcaf516d.exe RegSvcs.exe PID 2384 wrote to memory of 356 2384 dab8845fdec7b9c436287f8bdcaf516d.exe RegSvcs.exe PID 2384 wrote to memory of 356 2384 dab8845fdec7b9c436287f8bdcaf516d.exe RegSvcs.exe PID 2384 wrote to memory of 356 2384 dab8845fdec7b9c436287f8bdcaf516d.exe RegSvcs.exe PID 2384 wrote to memory of 356 2384 dab8845fdec7b9c436287f8bdcaf516d.exe RegSvcs.exe PID 2384 wrote to memory of 356 2384 dab8845fdec7b9c436287f8bdcaf516d.exe RegSvcs.exe PID 2384 wrote to memory of 356 2384 dab8845fdec7b9c436287f8bdcaf516d.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe"C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵PID:356