General

  • Target

    4a71267609d0b15255c19c6892a365514d122ced1ebe66df1aa795b94a125a11

  • Size

    2.4MB

  • Sample

    220320-bfmm8sdgc3

  • MD5

    7f1ce9e6eac4ba673a3e8e0177421fe5

  • SHA1

    1f4e85d80ad7e635bfb6a0947fa60bb53eb8b443

  • SHA256

    4a71267609d0b15255c19c6892a365514d122ced1ebe66df1aa795b94a125a11

  • SHA512

    02f4cc79a1110bbada597edaecce7f477e15d9a31942bd06055a2fdcc2419cfb6ea064397e4db173d59f26a27086947acce28ee235ed6a425d54a9d55952bb3e

Malware Config

Targets

    • Target

      4a71267609d0b15255c19c6892a365514d122ced1ebe66df1aa795b94a125a11

    • Size

      2.4MB

    • MD5

      7f1ce9e6eac4ba673a3e8e0177421fe5

    • SHA1

      1f4e85d80ad7e635bfb6a0947fa60bb53eb8b443

    • SHA256

      4a71267609d0b15255c19c6892a365514d122ced1ebe66df1aa795b94a125a11

    • SHA512

      02f4cc79a1110bbada597edaecce7f477e15d9a31942bd06055a2fdcc2419cfb6ea064397e4db173d59f26a27086947acce28ee235ed6a425d54a9d55952bb3e

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • Taurus Stealer Payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks