General

  • Target

    9d3aab1f80e8d8025bbb38ca3ece961dd2e896041039f1bbdc1ee25996daab37

  • Size

    747KB

  • Sample

    220206-2jfxzaceg2

  • MD5

    6e29693cfa077598b069297df14fa710

  • SHA1

    408cd4b0102d173a1581fef8db3ce8142c34834c

  • SHA256

    9d3aab1f80e8d8025bbb38ca3ece961dd2e896041039f1bbdc1ee25996daab37

  • SHA512

    b7aa75062faa13f667a4f287d68c8e84fe6a1b29756a03c8df8da8cf64fe964f3930aee92f1b23acd3a1c76003c666365ec8cd0b85949a551e6b4f8ee17851f1

Malware Config

Targets

    • Target

      po-202103.exe

    • Size

      1.1MB

    • MD5

      83565d8eac8fbbc1b5392913e329397e

    • SHA1

      1795fa118fe0484f3238d94207946a988d6ad97a

    • SHA256

      787760272209442be52c110ab48a8af7b6d504725708750685275ccdee2807ec

    • SHA512

      9930aa82eec1ce8a046ff194d7ba45b24879f45a594356e325ea04614bd3d8001154da7c1f03074c2905c32750b0f4e1caf92dca86c05ccc2e77b81114721990

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • Taurus Stealer Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks