taurus | f20ff51110a2afc08e58fbfbb856043bc4a1510a95b46ccbf3770f7f8344214a

Analysis

max time kernel
22s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 03:53

Target

c1b0a127dd1f69399a03c8653776df9c.exe
Size

235KB
MD5

c1b0a127dd1f69399a03c8653776df9c
SHA1

c66ab86b8bff31d74f077ec989887ba0aa186763
SHA256

f20ff51110a2afc08e58fbfbb856043bc4a1510a95b46ccbf3770f7f8344214a
SHA512

42583ed265820fd6c272e4513972314c4db0c401d939d932528320cfc78ceabccfb17b314a77657dcadf53843ce5316aa7f6a88f1700a0797b2caf45c1d4e93b
SSDEEP

6144:QRSe86YHbe3UuWmX8DVNC8zzt6+KXDJ1DKmB87vN2U5TUjr:UfuuNsDfxatTB870Njr

Score

10^/10

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4480-14-0x0000000000400000-0x000000000043A000-memory.dmp	family_taurus_stealer
behavioral2/memory/4480-13-0x0000000000400000-0x000000000043A000-memory.dmp	family_taurus_stealer
behavioral2/memory/4480-11-0x0000000000400000-0x000000000043A000-memory.dmp	family_taurus_stealer
behavioral2/memory/4480-10-0x0000000000400000-0x000000000043A000-memory.dmp	family_taurus_stealer
behavioral2/memory/4480-16-0x0000000000400000-0x000000000043A000-memory.dmp	family_taurus_stealer

Suspicious use of SetThreadContext 1 IoCs

Processes:

c1b0a127dd1f69399a03c8653776df9c.exe

description pid process target process

PID 840 set thread context of 4480 840 c1b0a127dd1f69399a03c8653776df9c.exe c1b0a127dd1f69399a03c8653776df9c.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2452 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c1b0a127dd1f69399a03c8653776df9c.exe

description pid process

Token: SeDebugPrivilege 840 c1b0a127dd1f69399a03c8653776df9c.exe

description	pid	process	target process
PID 840 set thread context of 4480	840	c1b0a127dd1f69399a03c8653776df9c.exe	c1b0a127dd1f69399a03c8653776df9c.exe

pid	process
2452	timeout.exe

description	pid	process
Token: SeDebugPrivilege	840	c1b0a127dd1f69399a03c8653776df9c.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c1b0a127dd1f69399a03c8653776df9c.exe

description	pid	process	target process
PID 840 wrote to memory of 4480	840	c1b0a127dd1f69399a03c8653776df9c.exe	c1b0a127dd1f69399a03c8653776df9c.exe
PID 840 wrote to memory of 4480	840	c1b0a127dd1f69399a03c8653776df9c.exe	c1b0a127dd1f69399a03c8653776df9c.exe
PID 840 wrote to memory of 4480	840	c1b0a127dd1f69399a03c8653776df9c.exe	c1b0a127dd1f69399a03c8653776df9c.exe
PID 840 wrote to memory of 4480	840	c1b0a127dd1f69399a03c8653776df9c.exe	c1b0a127dd1f69399a03c8653776df9c.exe
PID 840 wrote to memory of 4480	840	c1b0a127dd1f69399a03c8653776df9c.exe	c1b0a127dd1f69399a03c8653776df9c.exe
PID 840 wrote to memory of 4480	840	c1b0a127dd1f69399a03c8653776df9c.exe	c1b0a127dd1f69399a03c8653776df9c.exe
PID 840 wrote to memory of 4480	840	c1b0a127dd1f69399a03c8653776df9c.exe	c1b0a127dd1f69399a03c8653776df9c.exe
PID 840 wrote to memory of 4480	840	c1b0a127dd1f69399a03c8653776df9c.exe	c1b0a127dd1f69399a03c8653776df9c.exe
PID 840 wrote to memory of 4480	840	c1b0a127dd1f69399a03c8653776df9c.exe	c1b0a127dd1f69399a03c8653776df9c.exe

C:\Users\Admin\AppData\Local\Temp\c1b0a127dd1f69399a03c8653776df9c.exe
C:\Users\Admin\AppData\Local\Temp\c1b0a127dd1f69399a03c8653776df9c.exe
2⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\c1b0a127dd1f69399a03c8653776df9c.exe
3⤵
PID:1928

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
1⤵
- Delays execution with timeout.exe
PID:2452

memory/840-8-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/840-7-0x00000000061D0000-0x0000000006246000-memory.dmp

Filesize
472KB

Download
memory/840-2-0x0000000005470000-0x0000000005A14000-memory.dmp

Filesize
5.6MB

Download
memory/840-4-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/840-1-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/840-0-0x0000000000410000-0x000000000044E000-memory.dmp

Filesize
248KB

Download
memory/840-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/840-6-0x0000000006120000-0x000000000614A000-memory.dmp

Filesize
168KB

Download
memory/840-5-0x0000000004E50000-0x0000000004E5A000-memory.dmp

Filesize
40KB

Download
memory/840-9-0x00000000061C0000-0x00000000061D2000-memory.dmp

Filesize
72KB

Download
memory/840-15-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4480-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4480-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4480-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4480-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4480-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download