Analysis
-
max time kernel
124s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
18-10-2021 10:00
Static task
static1
Behavioral task
behavioral1
Sample
e48448d2eff914c9ade6cd4fa03a2871.exe
Resource
win7-en-20210920
0 signatures
0 seconds
General
-
Target
e48448d2eff914c9ade6cd4fa03a2871.exe
-
Size
456KB
-
MD5
e48448d2eff914c9ade6cd4fa03a2871
-
SHA1
6c193b4f03904955c6a00e08cc46abe8192fb693
-
SHA256
50c3094cb95527f4530bc12cf307a00f2de46c42b81b38aa224842afceaedb67
-
SHA512
e0f554a574f137fa8bb6b1044e1d4a0db7fc178fed8a764b952fc8e904481764c01661eb9fde42eea09701a18031ee826ab990597a32cc8e8a9fd439a0fc24d6
Malware Config
Signatures
-
Taurus Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1744-116-0x0000000002580000-0x00000000025B8000-memory.dmp family_taurus_stealer behavioral2/memory/1744-117-0x0000000000400000-0x000000000086A000-memory.dmp family_taurus_stealer -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1588 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e48448d2eff914c9ade6cd4fa03a2871.execmd.exedescription pid process target process PID 1744 wrote to memory of 2248 1744 e48448d2eff914c9ade6cd4fa03a2871.exe cmd.exe PID 1744 wrote to memory of 2248 1744 e48448d2eff914c9ade6cd4fa03a2871.exe cmd.exe PID 1744 wrote to memory of 2248 1744 e48448d2eff914c9ade6cd4fa03a2871.exe cmd.exe PID 2248 wrote to memory of 1588 2248 cmd.exe timeout.exe PID 2248 wrote to memory of 1588 2248 cmd.exe timeout.exe PID 2248 wrote to memory of 1588 2248 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e48448d2eff914c9ade6cd4fa03a2871.exe"C:\Users\Admin\AppData\Local\Temp\e48448d2eff914c9ade6cd4fa03a2871.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\e48448d2eff914c9ade6cd4fa03a2871.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:1588