MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 048b796fb78b1a11d598189410f4de21f57094d283fbebaec36fc604b1f66197. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TaurusStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 048b796fb78b1a11d598189410f4de21f57094d283fbebaec36fc604b1f66197
SHA3-384 hash: 0bd68b39430b29ba2c08d7611896ebd3ddbd9ddb9ddc8f373960f6b7ed3352ccd950e2d6c2f25a5cd95f0e88b45db229
SHA1 hash: 75798c020a7e02d49b8140c29541242e2fbfd6f8
MD5 hash: 698d49245a200364157220696c81de87
humanhash: pennsylvania-ten-zebra-three
File name:698d49245a200364157220696c81de87.exe
Download: download sample
Signature TaurusStealer
Create hunting rule
File size:422'912 bytes
First seen:2021-04-22 06:12:39 UTC
Last seen:2021-04-22 07:19:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cb9d63f797831e593075010586be1d1 (2 x RedLineStealer, 1 x TaurusStealer)
ssdeep 12288:ApX9V/Vuq1cuTj8QkNsoE7uVhbCsqsFL:MNVkCcuMQuYuV9os
Threatray 33 similar samples on MalwareBazaar
TLSH FE94DF10F6E1D032E1B254754624C3BA5E3B78F22526A98F7BCD3A780F253D1EB61B49
Reporter abuse_ch
Tags:exe TaurusStealer


Avatar
abuse_ch
TaurusStealer C2:
http://163.172.11.80/er/status.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
698d49245a200364157220696c81de87.exe
Verdict:
Malicious activity
Analysis date:
2021-04-22 07:24:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4a1490e4-9800-422c-8f11-ea60dd277d29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/143524/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36757441.13392.29924.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/692520
Signature
Changes memory attributes in foreign processes to executable or writable
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/048b796fb78b1a11d598189410f4de21f57094d283fbebaec36fc604b1f66197/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-04-22 01:49:00 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=asfxs35xrmnbdvmydckbb5g6eh2xbfgsqp56xlwdn7dajmpwmglq._file
Verdict:
unknown
Similar samples:
03be30bf83c48de2fc11174179c6b466cde149f2af7032dbc8bf2036a12b0e1a
TaurusStealer
3d06df16d5d4d51df9bf6c9cd3269bc7f48ff70b5c0a6902173d389cbf10b03d
TaurusStealer
593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5
TaurusStealer
5b7418517d962f6a77dedf03d99cf637fd0e202bcab8fa26441461a68b8d7cd2
TaurusStealer
61a70fdae6040d08c4f66f5d5ba95aba1987cda5e4715903696c3139a33d8e05
TaurusStealer
82abed1d037e286fb147d1ff13ab740bc338dc3ebf514e0e24d727e84cb2a460
TaurusStealer
be41dee9f9b806f5932a9ed56c841d884f4d7f8dafcdd20b4debfe82cc4898d4
TaurusStealer
ccea3ec883dbebf01bf405a8191e375dcdad2ab03b4601bd34b5261a3acf3fea
TaurusStealer
ea0ce50f66a640eea126b60be3a15f0c0295f07c227e4ef5d68ac043063ce9c3
TaurusStealer
eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
TaurusStealer
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210422-lfe77h1ac2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/048b796fb78b1a11d598189410f4de21f57094d283fbebaec36fc604b1f66197

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TaurusStealer

Executable exe 048b796fb78b1a11d598189410f4de21f57094d283fbebaec36fc604b1f66197

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/143524/
  
URLhaus
https://urlhaus.abuse.ch/url/1131480/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-22 07:26:50 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
3) [C0049] File System Micro-objective::Get File Attributes
4) [C0051] File System Micro-objective::Read File
5) [C0052] File System Micro-objective::Writes File
6) [C0007] Memory Micro-objective::Allocate Memory
7) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
8) [C0040] Process Micro-objective::Allocate Thread Local Storage
9) [C0041] Process Micro-objective::Set Thread Local Storage Value
10) [C0018] Process Micro-objective::Terminate Process