General

  • Target

    ad40eb035ec2cceddb5c9876fd4d4af285194d86ebf052c9629b38cb27800384

  • Size

    2.3MB

  • Sample

    220708-wbdvracfhj

  • MD5

    f259fb1b132c9b2cb699a6f2ae2bc324

  • SHA1

    21039286b53ba1218ce9a9679daf4177c226820f

  • SHA256

    ad40eb035ec2cceddb5c9876fd4d4af285194d86ebf052c9629b38cb27800384

  • SHA512

    97ba48df6224c87c34c66508f61e47531256a908cec2b535f80c18db71694b37e5943381b0fb8ccc3171279b038901e75f79d5e3f8800ce0d9a8050931497ff4

Malware Config

Targets

    • Target

      ad40eb035ec2cceddb5c9876fd4d4af285194d86ebf052c9629b38cb27800384

    • Size

      2.3MB

    • MD5

      f259fb1b132c9b2cb699a6f2ae2bc324

    • SHA1

      21039286b53ba1218ce9a9679daf4177c226820f

    • SHA256

      ad40eb035ec2cceddb5c9876fd4d4af285194d86ebf052c9629b38cb27800384

    • SHA512

      97ba48df6224c87c34c66508f61e47531256a908cec2b535f80c18db71694b37e5943381b0fb8ccc3171279b038901e75f79d5e3f8800ce0d9a8050931497ff4

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • Taurus Stealer payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks