taurus | 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f

General

Target

8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
Size

720KB
MD5

971c48d6dc3f593485bf2577266d2da7
SHA1

a9d1b83dd950414be286ec41365ac9b6bfe1bcbf
SHA256

8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f
SHA512

89229a9e4fb51ef1e7aba83703bd08677a59c416136cb6d5c5df0804e4481c48d655bbc394295eb1858a2de0994e63b3daf67ed9678bc948be4aa6b159606819

Score

10^/10

taurus spyware stealer trojan

Malware Config

Signatures

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4456-136-0x0000000000400000-0x0000000000431000-memory.dmp	family_taurus_stealer
behavioral2/memory/4456-137-0x0000000000400000-0x0000000000431000-memory.dmp	family_taurus_stealer
behavioral2/memory/4456-138-0x0000000000400000-0x0000000000431000-memory.dmp	family_taurus_stealer
behavioral2/memory/4456-139-0x0000000000400000-0x0000000000431000-memory.dmp	family_taurus_stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe

description	pid	process	target process
PID 3012 set thread context of 4456	3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1856	4456	WerFault.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
4008	4456	WerFault.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe

pid	process
3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe

description pid process

Token: SeDebugPrivilege 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe

description	pid	process
Token: SeDebugPrivilege	3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe

description	pid	process	target process
PID 3012 wrote to memory of 4456	3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
PID 3012 wrote to memory of 4456	3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
PID 3012 wrote to memory of 4456	3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
PID 3012 wrote to memory of 4456	3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
PID 3012 wrote to memory of 4456	3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
PID 3012 wrote to memory of 4456	3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
PID 3012 wrote to memory of 4456	3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
PID 3012 wrote to memory of 4456	3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
PID 3012 wrote to memory of 4456	3012	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe	8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe

C:\Users\Admin\AppData\Local\Temp\8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
"C:\Users\Admin\AppData\Local\Temp\8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
"{path}"
2⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1860
3⤵
- Program crash
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1832
3⤵
- Program crash
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4456 -ip 4456
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4456 -ip 4456
1⤵
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3012-130-0x0000000000D20000-0x0000000000DDA000-memory.dmp

Filesize
744KB

Download
memory/3012-131-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download
memory/3012-132-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/3012-133-0x0000000005790000-0x000000000579A000-memory.dmp

Filesize
40KB

Download
memory/3012-134-0x0000000009240000-0x00000000092DC000-memory.dmp

Filesize
624KB

Download
memory/4456-135-0x0000000000000000-mapping.dmp

Download
memory/4456-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-137-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-138-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads