MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16995e059eb47de0b58a95ce2c3d863d964a7a16064d4298cee9db1de266e68d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TaurusStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16995e059eb47de0b58a95ce2c3d863d964a7a16064d4298cee9db1de266e68d
SHA3-384 hash: f9d20c4d55295787da9d02afc1b6014362c5163aa5a45313c8bc104610bc84bcb0b17aa495a4b516056f63d3f3142581
SHA1 hash: aa027d89f5d3f991ad3e14ffb681616a77621836
MD5 hash: ad56c384476a81faef9aebd60b2f4623
humanhash: india-solar-carolina-autumn
File name:ad56c384476a81faef9aebd60b2f4623.exe
Download: download sample
Signature TaurusStealer
Create hunting rule
File size:253'440 bytes
First seen:2020-11-28 10:36:01 UTC
Last seen:2020-11-28 12:44:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 187219f3546e865a0efcc61fa5a016a8 (2 x TaurusStealer)
ssdeep 6144:tz62K1wEw+QqdSUCzVIGpkhAMoQmQgN4is5QC+:u1vw+QqdSUUVIEkhAML8qC
Threatray 10 similar samples on MalwareBazaar
TLSH 5244CE10BAA1C433E29209764964C6654A37BCB25F35A2CB7BD02B6DCF313E19B36747
Reporter abuse_ch
Tags:exe TaurusStealer


Avatar
abuse_ch
Amadey C2:
http://217.8.117.62/b2bsk4ddW/index.php

TaurusStealer payload URL:
http://217.8.117.62/wseppx.exe

TaurusStealer C2:
http://109.94.110.251/cfg/

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105903/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file in the %temp% directory
Reading critical registry keys
Containing strings that indicate a threat
Sending an HTTP POST request
Connection attempt
Creating a window
Deleting a recently created file
Replacing files
Launching cmd.exe command interpreter
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/549985
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Amadey\'s stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324104 Sample: S3n9cCehe2.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 50 g.msn.com 2->50 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Antivirus detection for URL or domain 2->68 70 Antivirus detection for dropped file 2->70 72 6 other signatures 2->72 10 S3n9cCehe2.exe 4 2->10         started        signatures3 process4 file5 40 C:\ProgramData\df06955a2a\tdun.exe, PE32 10->40 dropped 92 Detected unpacking (changes PE section rights) 10->92 94 Detected unpacking (overwrites its own PE header) 10->94 96 Contains functionality to inject code into remote processes 10->96 14 tdun.exe 22 10->14         started        signatures6 process7 dnsIp8 56 217.8.117.62, 49707, 49708, 49711 CREXFEXPEX-RUSSIARU Russian Federation 14->56 42 C:\Users\user\AppData\Local\Temp\wseppx.exe, PE32 14->42 dropped 44 C:\Users\user\AppData\Local\...\scr[1].dll, PE32 14->44 dropped 46 C:\Users\user\AppData\Local\...\wseppx[1].exe, PE32 14->46 dropped 48 3 other malicious files 14->48 dropped 58 Multi AV Scanner detection for dropped file 14->58 60 Detected unpacking (changes PE section rights) 14->60 62 Detected unpacking (overwrites its own PE header) 14->62 64 Machine Learning detection for dropped file 14->64 19 wseppx.exe 13 14->19         started        23 rundll32.exe 14->23         started        25 cmd.exe 1 14->25         started        27 rundll32.exe 1 14->27         started        file9 signatures10 process11 dnsIp12 52 109.94.110.251, 49734, 49950, 80 BELCLOUDBG Bulgaria 19->52 74 Multi AV Scanner detection for dropped file 19->74 76 Detected unpacking (changes PE section rights) 19->76 78 Detected unpacking (overwrites its own PE header) 19->78 90 2 other signatures 19->90 29 cmd.exe 1 19->29         started        54 192.168.2.5, 443, 49557, 49675 unknown unknown 23->54 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->80 82 Tries to steal Instant Messenger accounts or passwords 23->82 84 Tries to steal Mail credentials (via file access) 23->84 86 Tries to harvest and steal ftp login credentials 23->86 31 reg.exe 1 25->31         started        34 conhost.exe 25->34         started        88 System process connects to network (likely due to code injection or exploit) 27->88 signatures13 process14 signatures15 36 conhost.exe 29->36         started        38 timeout.exe 1 29->38         started        98 Creates an undocumented autostart registry key 31->98 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16995e059eb47de0b58a95ce2c3d863d964a7a16064d4298cee9db1de266e68d/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 00:15:27 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2mv4bm6wr66bnmksxhcypmghwleu6qwazgufggo5hnr3ytg42gq._file
Verdict:
suspicious
Similar samples:
035a62c9a13176755bbe5ea0d9c8a609c9f237a6e0af811abb934ca8654eb753
TaurusStealer
100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea
TaurusStealer
4626980a591b50826c7ed3ba55812df592c8abd7e40131438d4faa0319aac7fb
TaurusStealer
8437af9312fa3a3f5ed17a5b1877502024832eb2b050fb93566389817c47f551
TaurusStealer
92426fe39cddb0d10510d1a6d2d90600b651b55cdf7f441782b9b3ad7817f935
TaurusStealer
cea813cbef6581e0c95aacb2e747f5951325444b941e801164154917a17bfe71
TaurusStealer
dc5f40f99496a7140ea7722698f2de741fb00845c7791d78ec0ba90fc4a04490
TaurusStealer
e5262c52f747de4318e3f5b44b78a822ba0a4ea667ccdcf811f5e52cb6742327
TaurusStealer
ebbf1f05b4ebc687893c9989688b139424d0fe6242ab490c7282b7bd6299c187
TaurusStealer
fd865a95aba368c5bef303415ae32e89141cc10b2455e5e9cba721a79bb3b78b
TaurusStealer
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/201128-tvdgc6c46s/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Executes dropped EXE
ServiceHost packer
Unpacked files
SH256 hash:
746d1c173d6b751dd6eaea5733ff1888035ad90167c5547331140bffa939d93d
MD5 hash:
9973c1538ee91ef2b906ab5e88658de9
SHA1 hash:
9c97deac7e3ccccaec0a87a6c8dc7a05791cebfe
Link:
https://www.unpac.me/results/7042400a-89dc-44cc-9726-d90701241fb4/
SH256 hash:
16995e059eb47de0b58a95ce2c3d863d964a7a16064d4298cee9db1de266e68d
MD5 hash:
ad56c384476a81faef9aebd60b2f4623
SHA1 hash:
aa027d89f5d3f991ad3e14ffb681616a77621836
Link:
https://www.unpac.me/results/7042400a-89dc-44cc-9726-d90701241fb4/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TaurusStealer

Executable exe 16995e059eb47de0b58a95ce2c3d863d964a7a16064d4298cee9db1de266e68d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/863152/
  
URLhaus
https://urlhaus.abuse.ch/url/853278/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105903/

Comments