Malware Analysis Report

2024-10-19 02:35

Sample ID 220309-q34btsghh3
Target 48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e
SHA256 48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e
Tags
taurus discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e

Threat Level: Known bad

The file 48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e was found to be: Known bad.

Malicious Activity Summary

taurus discovery evasion spyware stealer trojan

Taurus Stealer

Taurus Stealer Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-09 13:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-09 13:48

Reported

2022-03-09 13:50

Platform

win7-20220223-en

Max time kernel

4294198s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe"

Signatures

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe

"C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe"

Network

Country Destination Domain Proto
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp

Files

memory/964-54-0x0000000075131000-0x0000000075133000-memory.dmp

memory/964-55-0x00000000774F0000-0x0000000077670000-memory.dmp

memory/964-57-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/964-58-0x0000000000B80000-0x0000000000B81000-memory.dmp

memory/964-56-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/964-59-0x0000000000B60000-0x0000000000B61000-memory.dmp

memory/964-60-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/964-61-0x00000000002B0000-0x0000000000932000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-09 13:48

Reported

2022-03-09 13:50

Platform

win10v2004-en-20220112

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe"

Signatures

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe

"C:\Users\Admin\AppData\Local\Temp\48ebbbdc7e6550ad9dd3f13bb8834d6e5647dd561365ef17ea61b4829b92484e.exe"

Network

Country Destination Domain Proto
US 72.21.91.29:80 tcp
NL 185.92.148.230:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.137.103.130:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
US 93.184.221.240:80 tcp
NL 185.92.148.230:80 tcp
US 209.197.3.8:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp

Files

memory/204-130-0x0000000077190000-0x0000000077333000-memory.dmp

memory/204-132-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/204-131-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/204-133-0x00000000001D0000-0x0000000000852000-memory.dmp