MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 708c8e26689e83a82460bfcf611f78eaf39ee6e77e12c23ea012489deb57e72c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TaurusStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 708c8e26689e83a82460bfcf611f78eaf39ee6e77e12c23ea012489deb57e72c
SHA3-384 hash: 26425ffbdc6a93039376ad34afbfcf5a414526d8111066298632b8f9eb54c74f0036ec6cdd7dbd16b1679d1f6d5118ce
SHA1 hash: fe53ef52e27877450865d074ef2f3e67e2af2ca3
MD5 hash: 5ae9b47fd2a505049a7f6f405f6f512c
humanhash: michigan-table-yankee-bacon
File name:frank_2021-02-22_02-03.exe
Download: download sample
Signature TaurusStealer
Create hunting rule
File size:355'328 bytes
First seen:2021-02-22 07:20:34 UTC
Last seen:2021-02-22 08:41:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c67a49a7b4bad17c2a069576142bca44 (1 x TaurusStealer)
ssdeep 6144:i8aXJfZXvyilyVTP0a713xunmLxHdqarVN/4tBI8w1vty67WC1UOi:i8aZBXvyilyV4a7138nm/qaNYI/vtAL
Threatray 36 similar samples on MalwareBazaar
TLSH AE74AF10B7A3C034F4B716B8467682FCA9297FA1672761CB93D52AEA5B306E0DC31747
Reporter abuse_ch
Tags:exe TaurusStealer


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server0.intouchsport.net
Sending IP: 192.236.177.223
From: Cindywang <test1234@wahanaartha.com>
Subject: New PO#SG-21-005- Quote Number : QT1028599
Attachment: PO comfirmation.gz (contains "frank_2021-02-22_02-03.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118217/
Detection(s):
SecuriteInfo.com.Variant.Bulz.367460.30283.22665.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Reading critical registry keys
Deleting a recently created file
Replacing files
Launching cmd.exe command interpreter
Launching a process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Predator Taurus Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613852
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Predator
Yara detected Taurus Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/708c8e26689e83a82460bfcf611f78eaf39ee6e77e12c23ea012489deb57e72c/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 00:35:50 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ocgi4jtit2b2qjdax7hwch3y5lzz5zxhpyjmepvacjej322x44wa._file
Verdict:
suspicious
Similar samples:
28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5
TaurusStealer
2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb
TaurusStealer
3ee5a54480db0b8a0b2a5c28b04c1f6689945de2a977f5bff91f24e1548a6c7a
TaurusStealer
4679648337426622a1f44b99207a036144b1e12391c36733eea10f63a02d0304
TaurusStealer
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b
TaurusStealer
847fa8413751c698b7cb1f258a4365d8e50915e4811fa916308f6b0e18cbc17d
TaurusStealer
8f7d1999ac5ed03e1c7af4a42100690e2ca326b4219faad33cfc698bc56c4d63
TaurusStealer
9e5f370201251e8dc138678f8e0d4f0bdd75e1353edcc77d41c8401621c2c671
TaurusStealer
a83fcb8454befab866f2ab18871017730bcfc3f690106844f740ebbd8cadd6d8
TaurusStealer
e3d0de327842dd2de91dea4ac6f9a710b1e97f57421200eae2415663651d60b9
TaurusStealer
+ 26 additional samples on MalwareBazaar
Result
Malware family:
taurus_stealer
Create hunting rule
Score:
  10/10
Tags:
family:taurus_stealer discovery spyware stealer trojan
Link:
https://tria.ge/reports/210222-h4j38kzryx/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Deletes itself
Reads user/profile data of web browsers
Taurus Stealer
Unpacked files
SH256 hash:
edc8e10e42d63d83f883f0b554fc12b1f99bae5df6aa50165d3501330aa3ee1a
MD5 hash:
0c62e41db4ca02f0198fef070da6d293
SHA1 hash:
859d1cc9820b0824213edf0d29cbedad2b9631cf
Link:
https://www.unpac.me/results/90f9b6d1-3896-4f82-a0cb-c62be0537663/
SH256 hash:
708c8e26689e83a82460bfcf611f78eaf39ee6e77e12c23ea012489deb57e72c
MD5 hash:
5ae9b47fd2a505049a7f6f405f6f512c
SHA1 hash:
fe53ef52e27877450865d074ef2f3e67e2af2ca3
Link:
https://www.unpac.me/results/90f9b6d1-3896-4f82-a0cb-c62be0537663/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TaurusStealer

gz 579303b7a0f24a0ec6510f2a1037b25eb1e18ba69b3997a788eb8f5641d7d8f4

TaurusStealer

Executable exe 708c8e26689e83a82460bfcf611f78eaf39ee6e77e12c23ea012489deb57e72c

(this sample)

  
Dropped by
MD5 56443028e0c91e5c420b166877fffae0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118217/
  
Dropped by
SHA256 579303b7a0f24a0ec6510f2a1037b25eb1e18ba69b3997a788eb8f5641d7d8f4

Comments