MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45feb97cce0d34dc6c93494ba82a0b657ed513d1f9a0962b4415e0e51d05fa4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TaurusStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45feb97cce0d34dc6c93494ba82a0b657ed513d1f9a0962b4415e0e51d05fa4e
SHA3-384 hash: 49d4236e0e57b05bf716f5d6dce64d42cd7e4cec46d2eddc44ee12d7e6babd36a4c93b0cda51845e858ddf4fdf42b15f
SHA1 hash: 79705d49388b1f5324de1e5eff4a3b0c3a6a9187
MD5 hash: 52a93fbc6187234e2543dcbf2b18cf58
humanhash: golf-bakerloo-mississippi-wisconsin
File name:AZ.exe
Download: download sample
Signature TaurusStealer
Create hunting rule
File size:395'264 bytes
First seen:2021-04-18 08:58:27 UTC
Last seen:2021-04-18 10:02:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 67b96b4223581f56d41e39decf1fe60c (1 x TaurusStealer, 1 x CryptBot)
ssdeep 6144:S0eyM76Fem/L9CYL73aKSXPypPCBDPK7aRx5XQrb10hN2oxDc1:SNyM76F/xDPaPfyVk7K7E5XQ31cxe
Threatray 50 similar samples on MalwareBazaar
TLSH 2884CF1135C0C032CC9225779635C3B19BBABA79562559CBBBC91BF81F607E2AB3131B
Reporter benkow_
Tags:exe TaurusStealer


Avatar
benkow_
c2 http://legend0. ru/cfg/

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AZ.exe
Verdict:
Malicious activity
Analysis date:
2021-04-18 08:59:49 UTC
Tags:
trojan taurus stealer predator
Link:
https://app.any.run/tasks/12e506c0-74c3-4d6d-8ee8-a52156b7c6e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/137577/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.3941.27147.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Containing strings that indicate a threat
Reading critical registry keys
Creating a file
Deleting a recently created file
Replacing files
Sending a UDP request
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/684710
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45feb97cce0d34dc6c93494ba82a0b657ed513d1f9a0962b4415e0e51d05fa4e/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ix7ls7gobu2ny3etjff2qkqlmv7nke6r7gqjmk2ecxqokhif7jha._file
Verdict:
malicious
Similar samples:
0595ed217175111f8512486a87acdf3dbde38bb7db819dc5f22df7d1ea8aa3a2
TaurusStealer
17f01d55c48881e6d8851e42f2afc33b89223a75081d30d613e6bb1a386c87c8
TaurusStealer
20aa2a4abbebdb069726b69a4d9a2041599de56f167de9a64b7996433c5b33ec
TaurusStealer
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f
TaurusStealer
6dd54df72786970cdf9615332b7c7abcf4aaf353bebabef8484371c0570e6499
TaurusStealer
787760272209442be52c110ab48a8af7b6d504725708750685275ccdee2807ec
TaurusStealer
a423314d33b74a166ce89ccef59bd5da0b25a6cfdc4ab59ac0fe157dad3082cd
TaurusStealer
b2e0a2a4ee3ca452cd290a72cd11f0fe2e178ca8566badd578377fa211aa59a8
TaurusStealer
b46b850653845d1f4f228cba48ef413daed75df4d130978d7a4ac00059f63e66
TaurusStealer
bc5e3b9e7638a68bbb36387281fedc1bedb12d67575b9242a47c0bf0c8f3c265
TaurusStealer
+ 40 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210418-d25nzd93da/
Behaviour
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TaurusStealer

Executable exe 45feb97cce0d34dc6c93494ba82a0b657ed513d1f9a0962b4415e0e51d05fa4e

(this sample)

  
Dropped by
Cracknet
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1131480/
Cape
Cape
https://www.capesandbox.com/analysis/137577/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-18 09:01:25 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
3) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
4) [C0049] File System Micro-objective::Get File Attributes
5) [C0051] File System Micro-objective::Read File
6) [C0050] File System Micro-objective::Set File Attributes
7) [C0052] File System Micro-objective::Writes File
8) [C0007] Memory Micro-objective::Allocate Memory
9) [C0033] Operating System Micro-objective::Console
10) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
11) [C0040] Process Micro-objective::Allocate Thread Local Storage
12) [C0041] Process Micro-objective::Set Thread Local Storage Value
13) [C0018] Process Micro-objective::Terminate Process