Overview

overview

10

Static

static

1a2d0633e0...5c.exe

windows7_x64

10

1a2d0633e0...5c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-04-2022 04:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a2d0633e0273b5a9583a6e7673651d24aea85545793d804a6d4f692fcda325c.exe

  • Size

    2.2MB

  • MD5

    a8db0614d948db39b865c1efa5d9eabc

  • SHA1

    4f9561138254cbbde7b8f5a0bf1798d3c2a10bda

  • SHA256

    1a2d0633e0273b5a9583a6e7673651d24aea85545793d804a6d4f692fcda325c

  • SHA512

    0641650fef34bdfc9de12ab1c02c12cf0e9d30eb1e525cf60eec5c0470614b6d7b7203c58761ba11338fd461570b6ab49e4d63e90b4f9270ee8eb142c4319a70

Score
10/10
taurusdiscoveryspywarestealertrojan

Malware Config

Signatures

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

    trojanstealertaurus
  • Taurus Stealer Payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a2d0633e0273b5a9583a6e7673651d24aea85545793d804a6d4f692fcda325c.exe
    "C:\Users\Admin\AppData\Local\Temp\1a2d0633e0273b5a9583a6e7673651d24aea85545793d804a6d4f692fcda325c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4124
    • C:\Users\Admin\AppData\Local\Temp\1a2d0633e0273b5a9583a6e7673651d24aea85545793d804a6d4f692fcda325c.exe
      "C:\Users\Admin\AppData\Local\Temp\1a2d0633e0273b5a9583a6e7673651d24aea85545793d804a6d4f692fcda325c.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Windows\SysWOW64\cmd.exe
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\1a2d0633e0273b5a9583a6e7673651d24aea85545793d804a6d4f692fcda325c.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1464
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 3
          4⤵
          • Delays execution with timeout.exe
          PID:3400

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4124-130-0x0000000000A40000-0x0000000000C78000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4404-132-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/4404-133-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/4404-134-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/4404-135-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download