Malware Analysis Report

2024-10-19 02:35

Sample ID 211018-l1xdaaddc9
Target dab8845fdec7b9c436287f8bdcaf516d
SHA256 ae6a91cfb49c616fe12f1f8a6212728700f6954ce06d09b9b668dfdd102ff1f3
Tags
taurus spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae6a91cfb49c616fe12f1f8a6212728700f6954ce06d09b9b668dfdd102ff1f3

Threat Level: Known bad

The file dab8845fdec7b9c436287f8bdcaf516d was found to be: Known bad.

Malicious Activity Summary

taurus spyware stealer trojan

Taurus Stealer

Taurus Stealer Payload

Accesses 2FA software files, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-18 10:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-18 10:00

Reported

2021-10-18 10:08

Platform

win7-en-20211014

Max time kernel

135s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe"

Signatures

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1500 set thread context of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe

"C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

Network

Country Destination Domain Proto
DE 51.195.70.170:80 tcp
DE 51.195.70.170:80 tcp
DE 51.195.70.170:80 tcp
DE 51.195.70.170:80 tcp
DE 51.195.70.170:80 tcp

Files

memory/1500-55-0x0000000000160000-0x0000000000161000-memory.dmp

memory/1500-57-0x0000000000390000-0x0000000000392000-memory.dmp

memory/1500-58-0x0000000007AD0000-0x0000000007B64000-memory.dmp

memory/1500-59-0x0000000002030000-0x0000000002082000-memory.dmp

memory/1500-60-0x0000000007030000-0x0000000007031000-memory.dmp

memory/268-61-0x0000000000400000-0x000000000043A000-memory.dmp

memory/268-62-0x0000000000400000-0x000000000043A000-memory.dmp

memory/268-63-0x0000000000400000-0x000000000043A000-memory.dmp

memory/268-64-0x0000000000400000-0x000000000043A000-memory.dmp

memory/268-65-0x0000000000400000-0x000000000043A000-memory.dmp

memory/268-66-0x0000000000400000-0x000000000043A000-memory.dmp

memory/268-67-0x000000000041EC63-mapping.dmp

memory/268-68-0x0000000076431000-0x0000000076433000-memory.dmp

memory/268-69-0x0000000000400000-0x000000000043A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-18 10:00

Reported

2021-10-18 10:09

Platform

win10-en-20210920

Max time kernel

146s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe"

Signatures

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2384 set thread context of 356 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2384 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2384 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2384 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2384 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2384 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2384 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2384 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2384 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe

"C:\Users\Admin\AppData\Local\Temp\dab8845fdec7b9c436287f8bdcaf516d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sv.symcb.com udp
US 72.21.91.29:80 sv.symcb.com tcp
US 8.8.8.8:53 s.symcb.com udp
US 72.21.91.29:80 s.symcb.com tcp
DE 51.195.70.170:80 tcp
US 8.8.8.8:53 ts-crl.ws.symantec.com udp
US 72.21.91.29:80 ts-crl.ws.symantec.com tcp
DE 51.195.70.170:80 tcp
DE 51.195.70.170:80 tcp
DE 51.195.70.170:80 tcp
DE 51.195.70.170:80 tcp
DE 51.195.70.170:80 tcp

Files

memory/2384-115-0x0000000000530000-0x0000000000531000-memory.dmp

memory/2384-117-0x0000000007990000-0x0000000007991000-memory.dmp

memory/2384-118-0x0000000007490000-0x0000000007491000-memory.dmp

memory/2384-119-0x0000000004ED0000-0x0000000004ED2000-memory.dmp

memory/2384-120-0x0000000007530000-0x0000000007531000-memory.dmp

memory/2384-121-0x0000000007480000-0x0000000007481000-memory.dmp

memory/2384-122-0x0000000008030000-0x00000000080C4000-memory.dmp

memory/2384-123-0x000000000B560000-0x000000000B5B2000-memory.dmp

memory/356-124-0x0000000000400000-0x000000000043A000-memory.dmp

memory/356-125-0x000000000041EC63-mapping.dmp

memory/356-126-0x0000000000400000-0x000000000043A000-memory.dmp