MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 844fc249fca9944318e13bdfbede18274a584f8d91f3582d2f73ebe9a2d72846. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TaurusStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	844fc249fca9944318e13bdfbede18274a584f8d91f3582d2f73ebe9a2d72846
SHA3-384 hash:	a3bcce6a0162c3e9fe277e73e450a5b04fa0d98b09eec79645eebf3e82fdfbad24eaf0a927a8d3b33bfb984a4f0bda06
SHA1 hash:	88b0f5c796d671dc93cf2342ef7f1f0a3249b1ef
MD5 hash:	55134aef7e05d52cec7b49a6cf1c8c3f
humanhash:	seven-fanta-sink-finch
File name:	55134aef7e05d52cec7b49a6cf1c8c3f.exe
Download:	download sample
Signature	TaurusStealer Create hunting rule
File size:	347'648 bytes
First seen:	2020-12-28 17:31:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6ed4f5f04d62b18d96b26d6db7c18840 (237 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep	6144:xd5YlgES+eFV4C5LgmmfNpnAxjVeWm0p9GhyWrKFcbH:jal1eogQfvUVeWm0vGh0cb
Threatray	28 similar samples on MalwareBazaar
TLSH	A3749E26EC683F49D523A234B10B3F3595F6871F3B2A156CE9FE4BB1B174A101A5307A
Reporter	abuse_ch
Tags:	exe TaurusStealer

abuse_ch

TaurusStealer C2:
http://62.113.112.137/cfg/

Intelligence

File Origin

# of uploads :

# of downloads :

460

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

55134aef7e05d52cec7b49a6cf1c8c3f.exe

Verdict:

Malicious activity

Analysis date:

2020-12-28 17:34:40 UTC

Tags:

trojan taurus stealer predator

Link:

https://app.any.run/tasks/cce8c3f5-a97b-4069-81b5-50951e3ceb8a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/109758/

Detection(s):

PUA.Win.Packer.Upx-48

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

Win.Dropper.Bunitu-9818108-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Containing strings that indicate a threat

Reading critical registry keys

Sending a UDP request

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/570881

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/844fc249fca9944318e13bdfbede18274a584f8d91f3582d2f73ebe9a2d72846/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2020-12-28 14:52:33 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qrh4esp4vgkegghbhpp35xqye5ffqt4nshzvqljpopv6tiwxfbda._file

Verdict:

unknown

TaurusStealer

28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5

TaurusStealer

2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb

TaurusStealer

3ee5a54480db0b8a0b2a5c28b04c1f6689945de2a977f5bff91f24e1548a6c7a

TaurusStealer

64fff3054dcf99561ee55226eb011ac1b6e1d9c2af3f7938970d06b2925bbce8

TaurusStealer

83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b

TaurusStealer

9e5f370201251e8dc138678f8e0d4f0bdd75e1353edcc77d41c8401621c2c671

TaurusStealer

a83fcb8454befab866f2ab18871017730bcfc3f690106844f740ebbd8cadd6d8

TaurusStealer

f69bdd82ca22268d090832707e37b1cae408ba96476843b55feedac11acc6277

TaurusStealer

fd865a95aba368c5bef303415ae32e89141cc10b2455e5e9cba721a79bb3b78b

TaurusStealer

+ 18 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer upx

Link:

https://tria.ge/reports/201228-pw4zj53mf6/

Behaviour

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

be542aa2fb1cc4e6e8cb62b05a257563f5d162e161b47313ad2d9484a1328370

MD5 hash:

744d924a8174ffd505008edded019638

SHA1 hash:

147de000f1a98334ea382626c6bcb0384776e2df

Link:

https://www.unpac.me/results/3fa41dca-df91-420b-87f1-1d72051c779e/

SH256 hash:

c855ae200540a9c2d401c0b696e7fdeb06192a36f3cce2aaf7cc6f2b3f1f9de5

MD5 hash:

38c78181e209b546a9144d4bb2b77d68

SHA1 hash:

fdcfa1b17c1eab29081b567c7a473cc0932efd99

Link:

https://www.unpac.me/results/3fa41dca-df91-420b-87f1-1d72051c779e/

SH256 hash:

844fc249fca9944318e13bdfbede18274a584f8d91f3582d2f73ebe9a2d72846

MD5 hash:

55134aef7e05d52cec7b49a6cf1c8c3f

SHA1 hash:

88b0f5c796d671dc93cf2342ef7f1f0a3249b1ef

Link:

https://www.unpac.me/results/3fa41dca-df91-420b-87f1-1d72051c779e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Glupteba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/844fc249fca9944318e13bdfbede18274a584f8d91f3582d2f73ebe9a2d72846

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/