taurus | 0b9f635e4fdcd604301232cbf99882303bded31ab572e692b688f10cac5677a0

Analysis

max time kernel
53s
max time network
74s
platform
windows10_x64
resource
win10-20220414-en
submitted
15-07-2022 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b9f635e4fdcd604301232cbf99882303bded31ab572e692b688f10cac5677a0.exe
Size

344KB
MD5

8ae3e9c831721116174321d4edb76b42
SHA1

b21b1c681e8258fc6ddda02121171c0dbe85a6b9
SHA256

0b9f635e4fdcd604301232cbf99882303bded31ab572e692b688f10cac5677a0
SHA512

50cfe6223a49aee036fece9ef4e44bbc31c3f2f510fb5cabdb5203a4f0332a2d0ec28561fe525c0dbe11deacafc20381feba7926aade00f426736c8d398d5b08

Score

10^/10

taurus discovery spyware stealer trojan

Malware Config

Signatures

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2380-135-0x00000000001C0000-0x00000000001F8000-memory.dmp	family_taurus_stealer
behavioral1/memory/2380-168-0x0000000000400000-0x0000000000483000-memory.dmp	family_taurus_stealer
behavioral1/memory/2380-181-0x00000000001C0000-0x00000000001F8000-memory.dmp	family_taurus_stealer
behavioral1/memory/2380-179-0x0000000000400000-0x0000000000483000-memory.dmp	family_taurus_stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2328 timeout.exe

pid	process
2328	timeout.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0b9f635e4fdcd604301232cbf99882303bded31ab572e692b688f10cac5677a0.execmd.exe

description	pid	process	target process
PID 2380 wrote to memory of 4296	2380	0b9f635e4fdcd604301232cbf99882303bded31ab572e692b688f10cac5677a0.exe	cmd.exe
PID 2380 wrote to memory of 4296	2380	0b9f635e4fdcd604301232cbf99882303bded31ab572e692b688f10cac5677a0.exe	cmd.exe
PID 2380 wrote to memory of 4296	2380	0b9f635e4fdcd604301232cbf99882303bded31ab572e692b688f10cac5677a0.exe	cmd.exe
PID 4296 wrote to memory of 2328	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2328	4296	cmd.exe	timeout.exe
PID 4296 wrote to memory of 2328	4296	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\0b9f635e4fdcd604301232cbf99882303bded31ab572e692b688f10cac5677a0.exe
"C:\Users\Admin\AppData\Local\Temp\0b9f635e4fdcd604301232cbf99882303bded31ab572e692b688f10cac5677a0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\0b9f635e4fdcd604301232cbf99882303bded31ab572e692b688f10cac5677a0.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
3⤵
- Delays execution with timeout.exe
PID:2328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2328-185-0x0000000000000000-mapping.dmp

Download
memory/2328-186-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-189-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-188-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-187-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-157-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-134-0x00000000006F1000-0x0000000000714000-memory.dmp

Filesize
140KB

Download
memory/2380-123-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-124-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-125-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-126-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-127-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-159-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-128-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-130-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-131-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-132-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-133-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-160-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-135-0x00000000001C0000-0x00000000001F8000-memory.dmp

Filesize
224KB

Download
memory/2380-136-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-137-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-162-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-139-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-140-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-141-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-143-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-144-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-145-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-146-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-148-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-149-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-151-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-152-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-154-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-155-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-121-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-129-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-122-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-138-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-161-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-158-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-163-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-164-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-167-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-166-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-165-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-156-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-153-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-147-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-142-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-168-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2380-169-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-170-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-171-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-172-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-173-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-174-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-175-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-178-0x00000000006F1000-0x0000000000714000-memory.dmp

Filesize
140KB

Download
memory/2380-181-0x00000000001C0000-0x00000000001F8000-memory.dmp

Filesize
224KB

Download
memory/2380-179-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2380-118-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-119-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-120-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4296-182-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4296-180-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4296-177-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4296-176-0x0000000000000000-mapping.dmp

Download
memory/4296-183-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4296-184-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download