MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4679648337426622a1f44b99207a036144b1e12391c36733eea10f63a02d0304. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TaurusStealer

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	4679648337426622a1f44b99207a036144b1e12391c36733eea10f63a02d0304
SHA3-384 hash:	061839c4fd41f355271ef9b2380472569cb08fe0f00cc65d61f0531ac4ad5a63cc4d409e3fc183459c8e2fa0a00ed69a
SHA1 hash:	3c379dfb7f6f26a067077cba102ee8d0ca992425
MD5 hash:	8ccf9291528b147f1ada20fe94dc822a
humanhash:	utah-salami-delaware-oven
File name:	INVOICES_BL_AWB_2021.exe
Download:	download sample
Signature	TaurusStealer Create hunting rule
File size:	362'496 bytes
First seen:	2021-01-28 15:53:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d67ba9b8711455c2944dcbf9c0b7ce0b (1 x TaurusStealer)
ssdeep	6144:ZahpJWmdLmG5Frw+vq0iyd6sPnCsRnnCDYaNxose9VkrR4+k7x:eTWmdbrwgq0ir8L9n8YC8+v2
Threatray	35 similar samples on MalwareBazaar
TLSH	B874DF01B2C2C032C05325718915CBB55EBBB871666669CFBBE80FBD5F647C2A73634A
Reporter	GovCERT_CH
Tags:	TaurusStealer

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

INVOICES_BL_AWB_2021.exe

Verdict:

Malicious activity

Analysis date:

2021-01-28 15:56:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/21195bb1-84df-45c3-9a3d-ba7f891e38dc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/114256/

Detection(s):

Win.Dropper.Wacatac-9826966-0

PUA.Win.Downloader.Firseria-6804617-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Creating a file

Sending a UDP request

Launching cmd.exe command interpreter

Launching a process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Taurus Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/593070

Signature

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Taurus Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4679648337426622a1f44b99207a036144b1e12391c36733eea10f63a02d0304/

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2021-01-26 15:45:13 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iz4wjazxijtcfipujomsa6qdmfcldyjdshbwom7ouehwhibnamca._file

Verdict:

unknown

TaurusStealer

28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5

TaurusStealer

2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb

TaurusStealer

3ee5a54480db0b8a0b2a5c28b04c1f6689945de2a977f5bff91f24e1548a6c7a

TaurusStealer

83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b

TaurusStealer

847fa8413751c698b7cb1f258a4365d8e50915e4811fa916308f6b0e18cbc17d

TaurusStealer

8f7d1999ac5ed03e1c7af4a42100690e2ca326b4219faad33cfc698bc56c4d63

TaurusStealer

9e5f370201251e8dc138678f8e0d4f0bdd75e1353edcc77d41c8401621c2c671

TaurusStealer

a83fcb8454befab866f2ab18871017730bcfc3f690106844f740ebbd8cadd6d8

TaurusStealer

e3d0de327842dd2de91dea4ac6f9a710b1e97f57421200eae2415663651d60b9

TaurusStealer

+ 25 additional samples on MalwareBazaar

Result

Malware family:

taurus_stealer

Score:

10/10

Tags:

family:taurus_stealer discovery spyware stealer trojan

Link:

https://tria.ge/reports/210128-ls9z96hmm2/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Deletes itself

Reads user/profile data of web browsers

Taurus Stealer

Unpacked files

SH256 hash:

edc8e10e42d63d83f883f0b554fc12b1f99bae5df6aa50165d3501330aa3ee1a

MD5 hash:

0c62e41db4ca02f0198fef070da6d293

SHA1 hash:

859d1cc9820b0824213edf0d29cbedad2b9631cf

Link:

https://www.unpac.me/results/8931bae4-d751-40f9-8056-9cf71b0174a2/

SH256 hash:

4679648337426622a1f44b99207a036144b1e12391c36733eea10f63a02d0304

MD5 hash:

8ccf9291528b147f1ada20fe94dc822a

SHA1 hash:

3c379dfb7f6f26a067077cba102ee8d0ca992425

Link:

https://www.unpac.me/results/8931bae4-d751-40f9-8056-9cf71b0174a2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4679648337426622a1f44b99207a036144b1e12391c36733eea10f63a02d0304

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TaurusStealer

ace 7f945e1d965b68e1ea68a3e9cd2263dd8b664a5cf618529dda169fb650b6505a

TaurusStealer

exe 4679648337426622a1f44b99207a036144b1e12391c36733eea10f63a02d0304

(this sample)

Dropped by

MD5 10108038254a01b7067db434c9722aec

Dropped by

SHA256 7f945e1d965b68e1ea68a3e9cd2263dd8b664a5cf618529dda169fb650b6505a

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/114256/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample