General

  • Target

    83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b

  • Size

    505KB

  • Sample

    220302-gr5k3sdda8

  • MD5

    13b24673d1ed4ffce62b623c5842ab37

  • SHA1

    fdcd364e3148b2301d778ebe98a00741feca798c

  • SHA256

    83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b

  • SHA512

    476d3fcfca990c9828691e07a2a07ffe069d5a6f91d32292987df2994d112eedf11cc55526ff0fcc71bf9ea508a5453caf2520ec7e35f7f255032f87780f1d43

Malware Config

Targets

    • Target

      83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b

    • Size

      505KB

    • MD5

      13b24673d1ed4ffce62b623c5842ab37

    • SHA1

      fdcd364e3148b2301d778ebe98a00741feca798c

    • SHA256

      83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b

    • SHA512

      476d3fcfca990c9828691e07a2a07ffe069d5a6f91d32292987df2994d112eedf11cc55526ff0fcc71bf9ea508a5453caf2520ec7e35f7f255032f87780f1d43

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • Taurus Stealer Payload

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks