Overview

overview

10

Static

static

32a872c8f5...bf.exe

windows7_x64

10

32a872c8f5...bf.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    69s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-04-2022 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32a872c8f58276fb026ccd80f3347012ad3df4a7cadc9db4c390ee0c1cc3f4bf.exe

  • Size

    461KB

  • MD5

    edb4da4665c8af890a1fcf3c22e1474e

  • SHA1

    10af706b57ae864cb1564e4672d606fbe55dc60b

  • SHA256

    32a872c8f58276fb026ccd80f3347012ad3df4a7cadc9db4c390ee0c1cc3f4bf

  • SHA512

    408c2543998b8cb694fd251b5b7201b6dded8b053e4b5caf97844feb689c1695bd7171d9eb27a0a6e3564f509da4506acbec2ae52b01da5754bdeb779a773817

Score
10/10
taurusdiscoveryspywarestealertrojan

Malware Config

Signatures

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

    trojanstealertaurus
  • Taurus Stealer Payload 2 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32a872c8f58276fb026ccd80f3347012ad3df4a7cadc9db4c390ee0c1cc3f4bf.exe
    "C:\Users\Admin\AppData\Local\Temp\32a872c8f58276fb026ccd80f3347012ad3df4a7cadc9db4c390ee0c1cc3f4bf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\SysWOW64\cmd.exe
      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\32a872c8f58276fb026ccd80f3347012ad3df4a7cadc9db4c390ee0c1cc3f4bf.exe
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 3
        3⤵
        • Delays execution with timeout.exe
        PID:856

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1376-54-0x000000000096B000-0x000000000098D000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1376-55-0x0000000075361000-0x0000000075363000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1376-56-0x000000000096B000-0x000000000098D000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1376-57-0x0000000000220000-0x0000000000256000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1376-58-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download