Malware Analysis Report

2024-10-19 02:35

Sample ID 220305-xbnwdsghh4
Target 502572d06c7db1bcaf2b9421ca873055182fb36a51ed5c9b725c6d3e12a66837
SHA256 502572d06c7db1bcaf2b9421ca873055182fb36a51ed5c9b725c6d3e12a66837
Tags
taurus discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

502572d06c7db1bcaf2b9421ca873055182fb36a51ed5c9b725c6d3e12a66837

Threat Level: Known bad

The file 502572d06c7db1bcaf2b9421ca873055182fb36a51ed5c9b725c6d3e12a66837 was found to be: Known bad.

Malicious Activity Summary

taurus discovery spyware stealer trojan

Taurus Stealer

Taurus Stealer Payload

Reads user/profile data of web browsers

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-05 18:40

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-05 18:40

Reported

2022-03-05 18:43

Platform

win10v2004-en-20220112

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\502572d06c7db1bcaf2b9421ca873055182fb36a51ed5c9b725c6d3e12a66837.exe"

Signatures

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\502572d06c7db1bcaf2b9421ca873055182fb36a51ed5c9b725c6d3e12a66837.exe

"C:\Users\Admin\AppData\Local\Temp\502572d06c7db1bcaf2b9421ca873055182fb36a51ed5c9b725c6d3e12a66837.exe"

Network

Country Destination Domain Proto
NL 45.91.200.120:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.143.84.45:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 45.91.200.120:80 tcp
US 93.184.220.29:80 tcp
NL 45.91.200.120:80 tcp
NL 45.91.200.120:80 tcp
NL 45.91.200.120:80 tcp
NL 45.91.200.120:80 tcp
NL 45.91.200.120:80 tcp

Files

memory/1052-130-0x00000000021B0000-0x000000000221C000-memory.dmp

memory/1052-131-0x0000000000400000-0x0000000000474000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-05 18:40

Reported

2022-03-05 18:43

Platform

win7-20220223-en

Max time kernel

4294194s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\502572d06c7db1bcaf2b9421ca873055182fb36a51ed5c9b725c6d3e12a66837.exe"

Signatures

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\502572d06c7db1bcaf2b9421ca873055182fb36a51ed5c9b725c6d3e12a66837.exe

"C:\Users\Admin\AppData\Local\Temp\502572d06c7db1bcaf2b9421ca873055182fb36a51ed5c9b725c6d3e12a66837.exe"

Network

Country Destination Domain Proto
NL 45.91.200.120:80 tcp
NL 45.91.200.120:80 tcp
NL 45.91.200.120:80 tcp
NL 45.91.200.120:80 tcp
NL 45.91.200.120:80 tcp
NL 45.91.200.120:80 tcp
NL 45.91.200.120:80 tcp

Files

memory/1116-54-0x0000000075281000-0x0000000075283000-memory.dmp

memory/1116-55-0x0000000000480000-0x00000000004EC000-memory.dmp

memory/1116-56-0x0000000000400000-0x0000000000474000-memory.dmp