taurus | 0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0

General

Target

0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe
Size

314KB
MD5

8391150bd1e9ee175e448aa45b58414f
SHA1

0e4aff0bc949292f5500539a655e684f22c9953a
SHA256

0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0
SHA512

1f3c19b3f635f7836bccc0eecffbb94f385acafdbb47b93201a63c73b906f223fa59bc5a4b5ba9ecb9d9b06085f80479341bc84aa9df6941dd5ae451c4476961

Score

10^/10

taurus discovery spyware stealer trojan

Malware Config

Signatures

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2528-130-0x0000000000400000-0x00000000047D0000-memory.dmp	family_taurus_stealer
behavioral2/memory/2528-132-0x00000000047D0000-0x0000000004806000-memory.dmp	family_taurus_stealer
behavioral2/memory/2528-133-0x0000000000400000-0x00000000047D0000-memory.dmp	family_taurus_stealer
behavioral2/memory/2528-134-0x0000000000400000-0x00000000047D0000-memory.dmp	family_taurus_stealer
behavioral2/memory/2528-137-0x0000000000400000-0x00000000047D0000-memory.dmp	family_taurus_stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1956 2528 WerFault.exe 0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4352 timeout.exe

pid	pid_target	process	target process
1956	2528	WerFault.exe	0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe

pid	process
4352	timeout.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.execmd.exe

description	pid	process	target process
PID 2528 wrote to memory of 4172	2528	0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe	cmd.exe
PID 2528 wrote to memory of 4172	2528	0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe	cmd.exe
PID 2528 wrote to memory of 4172	2528	0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe	cmd.exe
PID 4172 wrote to memory of 4352	4172	cmd.exe	timeout.exe
PID 4172 wrote to memory of 4352	4172	cmd.exe	timeout.exe
PID 4172 wrote to memory of 4352	4172	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe
"C:\Users\Admin\AppData\Local\Temp\0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
3⤵
- Delays execution with timeout.exe
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1244
2⤵
- Program crash
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2528 -ip 2528
1⤵
PID:3324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2528-130-0x0000000000400000-0x00000000047D0000-memory.dmp

Filesize
67.8MB

Download
memory/2528-131-0x00000000001C0000-0x00000000001E1000-memory.dmp

Filesize
132KB

Download
memory/2528-132-0x00000000047D0000-0x0000000004806000-memory.dmp

Filesize
216KB

Download
memory/2528-133-0x0000000000400000-0x00000000047D0000-memory.dmp

Filesize
67.8MB

Download
memory/2528-134-0x0000000000400000-0x00000000047D0000-memory.dmp

Filesize
67.8MB

Download
memory/2528-137-0x0000000000400000-0x00000000047D0000-memory.dmp

Filesize
67.8MB

Download
memory/4172-135-0x0000000000000000-mapping.dmp

Download
memory/4352-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing