MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dd54df72786970cdf9615332b7c7abcf4aaf353bebabef8484371c0570e6499. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TaurusStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dd54df72786970cdf9615332b7c7abcf4aaf353bebabef8484371c0570e6499
SHA3-384 hash: d7c1771f05c0a6e26989afa43fbf33277fd44f74ec71cf3b2f8cbfe2d33af0c487abc5d6765b087b3437ac83850064ef
SHA1 hash: f25683ceee40c744a9df347803e160ba675b7055
MD5 hash: a141173cfaedf9404845c2bfef74dec6
humanhash: east-zebra-romeo-california
File name:Installer [Pass 1234].exe
Download: download sample
Signature TaurusStealer
Create hunting rule
File size:1'062'400 bytes
First seen:2021-02-28 17:37:20 UTC
Last seen:2021-02-28 19:50:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:cnFnzX57EunzX57ENZKyGNHBGA2r8xK2F89WpCyPfAuIH8dNjHg/SURvVbRwz:cnZxHxSShGaxDF3b3vCRvVFw
Threatray 45 similar samples on MalwareBazaar
TLSH 523594F5FF836330E6E965B036940DEE411ECD322961997F8A04B5062B359982F7BC4E
Reporter Anonymous
Tags:na TaurusStealer


Avatar
Anonymous
who

Intelligence

File Origin
# of uploads :
2
# of downloads :
470
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Installer [Pass 1234].exe
Verdict:
No threats detected
Analysis date:
2021-02-28 00:34:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d695829b-bba2-4bab-90b9-ac8c32ba4f1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120039/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36397751.15602.16871.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Containing strings that indicate a threat
Sending an HTTP POST request
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Predator
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/621426
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Predator
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6dd54df72786970cdf9615332b7c7abcf4aaf353bebabef8484371c0570e6499/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 10:46:54 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxku35zhq2lqzx4wcuzsw7d2xt2kv42tx25l56ciiny4avyomsmq._file
Verdict:
suspicious
Similar samples:
17f03c053516f1109b19ccc244b09e1ce77205f019e6586c84b8c37c775e9bb7
TaurusStealer
2348533bdaabfe1f6418b36fa8e3aa06beb2317636a4cb6b0248bd4a01e51f95
TaurusStealer
28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5
TaurusStealer
2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb
TaurusStealer
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75
TaurusStealer
708c8e26689e83a82460bfcf611f78eaf39ee6e77e12c23ea012489deb57e72c
TaurusStealer
847fa8413751c698b7cb1f258a4365d8e50915e4811fa916308f6b0e18cbc17d
TaurusStealer
8f7d1999ac5ed03e1c7af4a42100690e2ca326b4219faad33cfc698bc56c4d63
TaurusStealer
9e5f370201251e8dc138678f8e0d4f0bdd75e1353edcc77d41c8401621c2c671
TaurusStealer
a83fcb8454befab866f2ab18871017730bcfc3f690106844f740ebbd8cadd6d8
TaurusStealer
+ 35 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210228-mdf4gcpwle/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Unpacked files
SH256 hash:
a397483b1c35c9f4e11a6ab44ae75957c79c05e61fa75b276cc5f72eee57fa70
MD5 hash:
538e80da680f7511cd93b5220633da68
SHA1 hash:
fcd985267eb7dd79098ed47e00d48525732d7dbb
Link:
https://www.unpac.me/results/d0f96e07-4bb0-44be-9c26-23f9f7d17acf/
SH256 hash:
dc737d78de42ae8336fc06295e8fba576aceff02329ddc0c18092d90e25c7be7
MD5 hash:
f24e5dc181c9f11fb88ad73f6dcdc9da
SHA1 hash:
96f62133ec4c0546be71c0380263943f0edbfbcf
Link:
https://www.unpac.me/results/d0f96e07-4bb0-44be-9c26-23f9f7d17acf/
SH256 hash:
6dd54df72786970cdf9615332b7c7abcf4aaf353bebabef8484371c0570e6499
MD5 hash:
a141173cfaedf9404845c2bfef74dec6
SHA1 hash:
f25683ceee40c744a9df347803e160ba675b7055
Link:
https://www.unpac.me/results/d0f96e07-4bb0-44be-9c26-23f9f7d17acf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6dd54df72786970cdf9615332b7c7abcf4aaf353bebabef8484371c0570e6499

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120039/

Comments