General

  • Target

    c1c071e02b712cd4e8a8e010a7b6e77a31c542221a6b9510df6b792b8a15eb40

  • Size

    8.0MB

  • Sample

    220328-wl3lvschg7

  • MD5

    d8e6da9dd193f39f4a18b9df2e8bc7ab

  • SHA1

    c95a73005b7b5722a593ac50bae91f198572d0ad

  • SHA256

    c1c071e02b712cd4e8a8e010a7b6e77a31c542221a6b9510df6b792b8a15eb40

  • SHA512

    122be791aade804d0d91c030abe282773667d46cd1f256364c2a13008c64ed1f1f823691ccc0e0b824c55ba0e00c4350d015e354a41a17c0be7a69fcd3300c8f

Malware Config

Targets

    • Target

      c1c071e02b712cd4e8a8e010a7b6e77a31c542221a6b9510df6b792b8a15eb40

    • Size

      8.0MB

    • MD5

      d8e6da9dd193f39f4a18b9df2e8bc7ab

    • SHA1

      c95a73005b7b5722a593ac50bae91f198572d0ad

    • SHA256

      c1c071e02b712cd4e8a8e010a7b6e77a31c542221a6b9510df6b792b8a15eb40

    • SHA512

      122be791aade804d0d91c030abe282773667d46cd1f256364c2a13008c64ed1f1f823691ccc0e0b824c55ba0e00c4350d015e354a41a17c0be7a69fcd3300c8f

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • Taurus Stealer Payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks