Analysis

  • max time kernel
    207s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    09-03-2022 04:53

General

  • Target

    cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe

  • Size

    2.9MB

  • MD5

    4868ef1ed1eeccf63f09c2407c438b2f

  • SHA1

    f40fb4d4506bf9f155e1cc1b0990c65435137a86

  • SHA256

    cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010

  • SHA512

    2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

Malware Config

Signatures

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

  • Taurus Stealer Payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe
    "C:\Users\Admin\AppData\Local\Temp\cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe"
    1⤵
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4064

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4064-130-0x0000000077B70000-0x0000000077D13000-memory.dmp

    Filesize

    1.6MB

  • memory/4064-131-0x0000000003070000-0x0000000003071000-memory.dmp

    Filesize

    4KB

  • memory/4064-132-0x0000000003080000-0x0000000003081000-memory.dmp

    Filesize

    4KB

  • memory/4064-133-0x00000000004B0000-0x0000000000B44000-memory.dmp

    Filesize

    6.6MB