taurus | 3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f

General

Target

3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe
Size

561KB
MD5

f8150dbb66a9dd18903253fb1855ddbf
SHA1

705dacea137f1336a250388b719cc878af49ea91
SHA256

3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f
SHA512

9a8d6185d316757617f7433c8cc9e3ed74dabd1c08ee31fc01eb4d403eddafb9a6c228187e39641167e4913ca819da699393d80bcacd3a205ae823b7cc9bfc2b

Score

10^/10

taurus spyware stealer trojan

Malware Config

Signatures

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1652-134-0x0000000000400000-0x0000000000477000-memory.dmp	family_taurus_stealer
behavioral2/memory/1652-135-0x0000000000400000-0x0000000000477000-memory.dmp	family_taurus_stealer
behavioral2/memory/1652-136-0x0000000000400000-0x0000000000477000-memory.dmp	family_taurus_stealer
behavioral2/memory/1652-137-0x0000000000400000-0x0000000000477000-memory.dmp	family_taurus_stealer

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe

description	pid	process	target process
PID 4756 set thread context of 1652	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3196 timeout.exe

pid	process
3196	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe

pid	process
4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe
4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe

description pid process

Token: SeDebugPrivilege 4756 3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe

description	pid	process
Token: SeDebugPrivilege	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exeCasPol.execmd.exe

description	pid	process	target process
PID 4756 wrote to memory of 764	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 764	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 764	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 1652	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 1652	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 1652	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 1652	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 1652	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 1652	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 1652	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 1652	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 1652	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 4756 wrote to memory of 1652	4756	3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe	CasPol.exe
PID 1652 wrote to memory of 2616	1652	CasPol.exe	cmd.exe
PID 1652 wrote to memory of 2616	1652	CasPol.exe	cmd.exe
PID 1652 wrote to memory of 2616	1652	CasPol.exe	cmd.exe
PID 2616 wrote to memory of 3196	2616	cmd.exe	timeout.exe
PID 2616 wrote to memory of 3196	2616	cmd.exe	timeout.exe
PID 2616 wrote to memory of 3196	2616	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe
"C:\Users\Admin\AppData\Local\Temp\3cba12289fc819e20fef12301eedad1a3dd079dd93a7b866c814babd7fa4c33f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    /c timeout /t 3 & del /f /q C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:3196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/764-132-0x0000000000000000-mapping.dmp

Download
memory/1652-133-0x0000000000000000-mapping.dmp

Download
memory/1652-134-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1652-135-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1652-136-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1652-137-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2616-138-0x0000000000000000-mapping.dmp

Download
memory/3196-139-0x0000000000000000-mapping.dmp

Download
memory/4756-130-0x0000000000470000-0x00000000004FE000-memory.dmp

Filesize
568KB

Download
memory/4756-131-0x0000000000CC0000-0x0000000000D26000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads