Overview

overview

10

Static

static

acfb70e071...73.exe

windows7_x64

10

acfb70e071...73.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    02-05-2022 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acfb70e071355b050c3d3ad4e99c760b922d0ce85930b1d92403186c540d7d73.exe

  • Size

    571KB

  • MD5

    3b162f81c028a43f6b00e69043fdb295

  • SHA1

    9f057b9561b55d8b81db0b4de8239791ea043349

  • SHA256

    acfb70e071355b050c3d3ad4e99c760b922d0ce85930b1d92403186c540d7d73

  • SHA512

    029430b4f59b4be230b91615b2439f4e51233d1d9ac3c3bcff61982cbd98ffead3d089d8c093427ee9b7b6a3442152611e335aa704b8f3caa54e995bb00cdea9

Score
10/10
taurusspywarestealertrojan

Malware Config

Signatures

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

    trojanstealertaurus
  • Taurus Stealer Payload 7 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acfb70e071355b050c3d3ad4e99c760b922d0ce85930b1d92403186c540d7d73.exe
    "C:\Users\Admin\AppData\Local\Temp\acfb70e071355b050c3d3ad4e99c760b922d0ce85930b1d92403186c540d7d73.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Windows\SysWOW64\cmd.exe
        /c timeout /t 3 & del /f /q C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 3
          4⤵
          • Delays execution with timeout.exe
          PID:364
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1768
      2⤵
      • Program crash
      PID:684

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1396-70-0x0000000000080000-0x00000000000B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1396-65-0x0000000000080000-0x00000000000B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1396-76-0x0000000000080000-0x00000000000B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1396-73-0x0000000000080000-0x00000000000B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1396-60-0x0000000000080000-0x00000000000B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1396-61-0x0000000000080000-0x00000000000B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1396-63-0x0000000000080000-0x00000000000B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1396-66-0x0000000000080000-0x00000000000B7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1972-57-0x00000000006B0000-0x00000000006E0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1972-54-0x0000000001220000-0x00000000012B6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1972-59-0x0000000000610000-0x0000000000616000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1972-58-0x00000000005C0000-0x00000000005D8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1972-56-0x0000000000390000-0x00000000003BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1972-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

    Filesize

    8KB

    Download