MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17f01d55c48881e6d8851e42f2afc33b89223a75081d30d613e6bb1a386c87c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TaurusStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17f01d55c48881e6d8851e42f2afc33b89223a75081d30d613e6bb1a386c87c8
SHA3-384 hash: 4bad412204f18b8556ecc83f81787ef5bc27c3957ca7b1fbd559ddd4889e1f821d43601aaaf7888e230635522aa4badd
SHA1 hash: 425df4e05e3447dd0b2401199fe359561511697a
MD5 hash: ec1a3ea52aa5a5bc66a495069a62f0d7
humanhash: mars-one-blossom-freddie
File name:EC1A3EA52AA5A5BC66A495069A62F0D7.exe
Download: download sample
Signature TaurusStealer
Create hunting rule
File size:654'648 bytes
First seen:2021-04-08 08:50:57 UTC
Last seen:2021-04-08 10:21:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:mZ5IRfYutx+yS621f2H717ZLCxbb/n9od201l4ComcF:AjK5S6292b17Zk17Qoj
Threatray 44 similar samples on MalwareBazaar
TLSH 01D4BF507308BC87D92BADB85C5EE11429395F2E61A5CBCC2DC2BA5F67B270170A7F06
Reporter abuse_ch
Tags:exe TaurusStealer


Avatar
abuse_ch
TaurusStealer C2:
http://45.138.72.202/cfg/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.138.72.202/cfg/ https://threatfox.abuse.ch/ioc/7315/

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EC1A3EA52AA5A5BC66A495069A62F0D7.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-08 09:08:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/438fdc72-7473-4c54-82d2-a0164a753188

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133137/
Detection(s):
SecuriteInfo.com.Trojan.Carberp.2754.10300.10051.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Containing strings that indicate a threat
Sending an HTTP POST request
Reading critical registry keys
Deleting a recently created file
Replacing files
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Predator
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/669863
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Predator
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17f01d55c48881e6d8851e42f2afc33b89223a75081d30d613e6bb1a386c87c8/
Threat name:
ByteCode-MSIL.Infostealer.Tepfer
Create hunting rule
Status:
Malicious
First seen:
2021-03-28 11:14:35 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7yb2voerca6nwefdzbpfl6dhoeseotvbaotbvqt425ruodmq7ea._file
Verdict:
malicious
Similar samples:
17f03c053516f1109b19ccc244b09e1ce77205f019e6586c84b8c37c775e9bb7
TaurusStealer
20aa2a4abbebdb069726b69a4d9a2041599de56f167de9a64b7996433c5b33ec
TaurusStealer
2348533bdaabfe1f6418b36fa8e3aa06beb2317636a4cb6b0248bd4a01e51f95
TaurusStealer
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f
TaurusStealer
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75
TaurusStealer
6dd54df72786970cdf9615332b7c7abcf4aaf353bebabef8484371c0570e6499
TaurusStealer
787760272209442be52c110ab48a8af7b6d504725708750685275ccdee2807ec
TaurusStealer
894efce31cc70924a097c89b02eb544cb1303268b569f39ccbfba492d6c2b166
TaurusStealer
8f7d1999ac5ed03e1c7af4a42100690e2ca326b4219faad33cfc698bc56c4d63
TaurusStealer
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
TaurusStealer
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210408-v6z1rral9e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Unpacked files
SH256 hash:
3d2630d56274c0e2c42485d334e6b57c5985d0aca833cf50f9a88d03433464e5
MD5 hash:
d3c728e804ea8ba27bac2d085eac9dbd
SHA1 hash:
ff2a094109382be17b5b46603a3e2d8b63f5e47f
Link:
https://www.unpac.me/results/8be15c4c-7503-4932-812d-891497e2818b/
SH256 hash:
c6c9c2e4a921305e1bcf5fa8fc0da6ef0991ac5cc6a922078f5d8af504699858
MD5 hash:
9f20417d5421c1edee11708908d8cd9c
SHA1 hash:
5836fc9aec0865eb565a77c71a5e6c2ee31df137
Link:
https://www.unpac.me/results/8be15c4c-7503-4932-812d-891497e2818b/
SH256 hash:
17f01d55c48881e6d8851e42f2afc33b89223a75081d30d613e6bb1a386c87c8
MD5 hash:
ec1a3ea52aa5a5bc66a495069a62f0d7
SHA1 hash:
425df4e05e3447dd0b2401199fe359561511697a
Link:
https://www.unpac.me/results/8be15c4c-7503-4932-812d-891497e2818b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.57
Link:
https://yomi.yoroi.company/submissions/17f01d55c48881e6d8851e42f2afc33b89223a75081d30d613e6bb1a386c87c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/133137/

Comments