MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c5d7642a58d60f603a1931f20977219becef21e957641a250c272c3fab74b2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TaurusStealer


Vendor detections: 6


Intelligence 6 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c5d7642a58d60f603a1931f20977219becef21e957641a250c272c3fab74b2d
SHA3-384 hash: cbf8f28121fa1aae88afaf4eee7804e0cc3e026c28ec7e0064dbb46afd919e40dc19edc9496dcf8b8999eb32a2f66062
SHA1 hash: 370c8b0935a60595b193d31a3779599a7d3b643c
MD5 hash: c9b5203de5dcfcacef457d81feba5f0d
humanhash: robin-west-nineteen-arizona
File name:c9b5203de5dcfcacef457d81feba5f0d.exe
Download: download sample
Signature TaurusStealer
Create hunting rule
File size:353'280 bytes
First seen:2021-04-18 11:05:09 UTC
Last seen:2021-04-18 11:58:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 683b1dbf821a6aafc4e9e892fc722419 (4 x TaurusStealer, 3 x RaccoonStealer)
ssdeep 6144:50eD+jAL6XJSGoPaamTHQHzpd8TbqYHOzJ4HVldQLKVM5Pa03Y7O:50eDhdL46zb0bZEJ49eKiy
Threatray 51 similar samples on MalwareBazaar
TLSH C674D031F2D0E13BC08225765319C7F18E7B7876295659CBBBC16AB91F343E1EA2470A
Reporter abuse_ch
Tags:exe TaurusStealer


Avatar
abuse_ch
TaurusStealer C2:
http://legend0.ru/cfg/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://legend0.ru/cfg/ https://threatfox.abuse.ch/ioc/8849/

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c9b5203de5dcfcacef457d81feba5f0d.exe
Verdict:
Malicious activity
Analysis date:
2021-04-18 11:07:26 UTC
Tags:
trojan taurus stealer predator
Link:
https://app.any.run/tasks/5a11ec87-e23a-4a52-8ba6-22ed6fa1a152

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/137638/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.539.24504.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Containing strings that indicate a threat
Reading critical registry keys
Creating a file
Deleting a recently created file
Replacing files
Sending a UDP request
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Predator Taurus Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/684838
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Predator
Yara detected Taurus Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c5d7642a58d60f603a1931f20977219becef21e957641a250c272c3fab74b2d/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nroxmqvfrvqpma5bsmpsbf3sdg7m54q6sv3edisqyjzmh6vxjmwq._file
Verdict:
malicious
Similar samples:
0595ed217175111f8512486a87acdf3dbde38bb7db819dc5f22df7d1ea8aa3a2
TaurusStealer
17f01d55c48881e6d8851e42f2afc33b89223a75081d30d613e6bb1a386c87c8
TaurusStealer
20aa2a4abbebdb069726b69a4d9a2041599de56f167de9a64b7996433c5b33ec
TaurusStealer
38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f
TaurusStealer
45feb97cce0d34dc6c93494ba82a0b657ed513d1f9a0962b4415e0e51d05fa4e
TaurusStealer
6dd54df72786970cdf9615332b7c7abcf4aaf353bebabef8484371c0570e6499
TaurusStealer
a423314d33b74a166ce89ccef59bd5da0b25a6cfdc4ab59ac0fe157dad3082cd
TaurusStealer
b2e0a2a4ee3ca452cd290a72cd11f0fe2e178ca8566badd578377fa211aa59a8
TaurusStealer
b46b850653845d1f4f228cba48ef413daed75df4d130978d7a4ac00059f63e66
TaurusStealer
bc5e3b9e7638a68bbb36387281fedc1bedb12d67575b9242a47c0bf0c8f3c265
TaurusStealer
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210418-h8g4xz1y1e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Suspicious use of NtCreateProcessExOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TaurusStealer

Executable exe 6c5d7642a58d60f603a1931f20977219becef21e957641a250c272c3fab74b2d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1131480/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/137638/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-18 12:08:09 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0049] File System Micro-objective::Get File Attributes
4) [C0051] File System Micro-objective::Read File
5) [C0050] File System Micro-objective::Set File Attributes
6) [C0052] File System Micro-objective::Writes File
7) [C0007] Memory Micro-objective::Allocate Memory
8) [C0033] Operating System Micro-objective::Console
9) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
10) [C0040] Process Micro-objective::Allocate Thread Local Storage
11) [C0041] Process Micro-objective::Set Thread Local Storage Value
12) [C0018] Process Micro-objective::Terminate Process