Analysis
-
max time kernel
207s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
09-03-2022 04:53
Static task
static1
Behavioral task
behavioral1
Sample
cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe
Resource
win7-20220223-en
General
-
Target
cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe
-
Size
2.9MB
-
MD5
4868ef1ed1eeccf63f09c2407c438b2f
-
SHA1
f40fb4d4506bf9f155e1cc1b0990c65435137a86
-
SHA256
cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010
-
SHA512
2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5
Malware Config
Signatures
-
Taurus Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4064-133-0x00000000004B0000-0x0000000000B44000-memory.dmp family_taurus_stealer -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Wine cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exepid process 4064 cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exepid process 4064 cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe 4064 cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe"C:\Users\Admin\AppData\Local\Temp\cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4064