taurus | 46af026f8b54d3857caf15c88286c3e3f202e67517cb4e927f9985bc018fc2bb

General

Target

46af026f8b54d3857caf15c88286c3e3f202e67517cb4e927f9985bc018fc2bb.exe
Size

488KB
MD5

7978376aae6002b7f518acabd27fa797
SHA1

06551640b2f681b89b81c0cb0031b7ab8457d46b
SHA256

46af026f8b54d3857caf15c88286c3e3f202e67517cb4e927f9985bc018fc2bb
SHA512

c4a0cb4fd1ba741e72f673d9efa103b220b6db68f136e5355cdaafea179b5f5654e092ae129cd1d584fbd725823f35e0812dd1bb67ea34270056030dfb774969

Score

10^/10

taurus discovery spyware stealer trojan

Malware Config

Signatures

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2700-132-0x0000000004080000-0x00000000040B6000-memory.dmp	family_taurus_stealer
behavioral2/memory/2700-133-0x0000000000400000-0x0000000002336000-memory.dmp	family_taurus_stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4356	2700	WerFault.exe	79
4348	2700	WerFault.exe	79
4956	2700	WerFault.exe	79
3892	2700	WerFault.exe	79
1636	2700	WerFault.exe	79
4460	2700	WerFault.exe	79
4568	2700	WerFault.exe	79
1056	2700	WerFault.exe	79
1208	2700	WerFault.exe	79
4436	2700	WerFault.exe	79

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4168	timeout.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4572	2700	46af026f8b54d3857caf15c88286c3e3f202e67517cb4e927f9985bc018fc2bb.exe	98
PID 2700 wrote to memory of 4572	2700	46af026f8b54d3857caf15c88286c3e3f202e67517cb4e927f9985bc018fc2bb.exe	98
PID 2700 wrote to memory of 4572	2700	46af026f8b54d3857caf15c88286c3e3f202e67517cb4e927f9985bc018fc2bb.exe	98
PID 4572 wrote to memory of 4168	4572	cmd.exe	101
PID 4572 wrote to memory of 4168	4572	cmd.exe	101
PID 4572 wrote to memory of 4168	4572	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\46af026f8b54d3857caf15c88286c3e3f202e67517cb4e927f9985bc018fc2bb.exe
"C:\Users\Admin\AppData\Local\Temp\46af026f8b54d3857caf15c88286c3e3f202e67517cb4e927f9985bc018fc2bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 692
  2⤵
  - Program crash
  PID:4356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 736
  2⤵
  - Program crash
  PID:4348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 692
  2⤵
  - Program crash
  PID:4956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 712
  2⤵
  - Program crash
  PID:3892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 772
  2⤵
  - Program crash
  PID:1636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 948
  2⤵
  - Program crash
  PID:4460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1204
  2⤵
  - Program crash
  PID:4568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1260
  2⤵
  - Program crash
  PID:1056
- C:\Windows\SysWOW64\cmd.exe
  /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\46af026f8b54d3857caf15c88286c3e3f202e67517cb4e927f9985bc018fc2bb.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:4168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1352
  2⤵
  - Program crash
  PID:1208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1356
  2⤵
  - Program crash
  PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2700 -ip 2700
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2700 -ip 2700
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2700 -ip 2700
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2700 -ip 2700
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2700 -ip 2700
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2700 -ip 2700
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2700 -ip 2700
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2700 -ip 2700
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2700 -ip 2700
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2700 -ip 2700
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2700-130-0x00000000025CA000-0x00000000025EB000-memory.dmp

Filesize
132KB

Download
memory/2700-131-0x00000000025CA000-0x00000000025EB000-memory.dmp

Filesize
132KB

Download
memory/2700-132-0x0000000004080000-0x00000000040B6000-memory.dmp

Filesize
216KB

Download
memory/2700-133-0x0000000000400000-0x0000000002336000-memory.dmp

Filesize
31.2MB

Download

Analysis

Sharing