MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 847fa8413751c698b7cb1f258a4365d8e50915e4811fa916308f6b0e18cbc17d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	847fa8413751c698b7cb1f258a4365d8e50915e4811fa916308f6b0e18cbc17d
SHA3-384 hash:	b549425a00debbfc1c5fefde0bb6fe324014723a17a150057dcd4101c0060d667f20125ad6c0b9c0fb711d02a3223d0f
SHA1 hash:	bed53dc755559ecc8ed6a84f7efbe877937324de
MD5 hash:	fbe426a8d46b433667c3a30f38c703ab
humanhash:	colorado-delta-eighteen-quebec
File name:	DOCUMENT FILE.exe
Download:	download sample
File size:	368'640 bytes
First seen:	2021-01-18 08:36:31 UTC
Last seen:	2021-01-18 10:42:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6ed4f5f04d62b18d96b26d6db7c18840 (235 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep	6144:bMiKtIEkQ4bxtveZSzTK7gHFQSB7h4LpIyFwHXyJu:+cQ4bxtveZ0KkOSI1IyFai
Threatray	33 similar samples on MalwareBazaar
TLSH	0F74128DCB004D91F7913ABCD722A9B8C379ED796E411A52EBF4B7991F35140283239B
Reporter	GovCERT_CH

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DOCUMENT FILE.exe

Verdict:

Malicious activity

Analysis date:

2021-01-14 08:08:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/02c5c4d7-1185-466b-b925-591bf0644940

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/112495/

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a custom TCP request

DNS request

Creating a file

Reading critical registry keys

Sending a UDP request

Deleting a recently created file

Replacing files

Launching cmd.exe command interpreter

Launching a process

Stealing user critical data

Result

Threat name:

Predator Taurus Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/583487

Signature

Contains functionality to inject code into remote processes

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Predator

Yara detected Taurus Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/847fa8413751c698b7cb1f258a4365d8e50915e4811fa916308f6b0e18cbc17d/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-01-14 10:15:43 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Verdict:

unknown

28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5

2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb

3ee5a54480db0b8a0b2a5c28b04c1f6689945de2a977f5bff91f24e1548a6c7a

83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b

844fc249fca9944318e13bdfbede18274a584f8d91f3582d2f73ebe9a2d72846

8f7d1999ac5ed03e1c7af4a42100690e2ca326b4219faad33cfc698bc56c4d63

9e5f370201251e8dc138678f8e0d4f0bdd75e1353edcc77d41c8401621c2c671

a83fcb8454befab866f2ab18871017730bcfc3f690106844f740ebbd8cadd6d8

f69bdd82ca22268d090832707e37b1cae408ba96476843b55feedac11acc6277

+ 23 additional samples on MalwareBazaar

Result

Malware family:

taurus_stealer

Score:

10/10

Tags:

family:taurus_stealer discovery spyware stealer trojan upx

Link:

https://tria.ge/reports/210118-a7cxswypve/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Taurus Stealer

Unpacked files

SH256 hash:

1a19f6e8ee74505ee394b328ed0dd4dd2765e2433ae6296355c1d948fb092825

MD5 hash:

44aac3f5320454ccd47dea36a6ddc3a2

SHA1 hash:

3b68d4457cb6630b1fa3291fd676d4840a8ea5d1

Link:

https://www.unpac.me/results/4a49a411-c820-43f8-a0af-335c9472266f/

SH256 hash:

edc8e10e42d63d83f883f0b554fc12b1f99bae5df6aa50165d3501330aa3ee1a

MD5 hash:

0c62e41db4ca02f0198fef070da6d293

SHA1 hash:

859d1cc9820b0824213edf0d29cbedad2b9631cf

Link:

https://www.unpac.me/results/4a49a411-c820-43f8-a0af-335c9472266f/

SH256 hash:

847fa8413751c698b7cb1f258a4365d8e50915e4811fa916308f6b0e18cbc17d

MD5 hash:

fbe426a8d46b433667c3a30f38c703ab

SHA1 hash:

bed53dc755559ecc8ed6a84f7efbe877937324de

Link:

https://www.unpac.me/results/4a49a411-c820-43f8-a0af-335c9472266f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Azorult

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/847fa8413751c698b7cb1f258a4365d8e50915e4811fa916308f6b0e18cbc17d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/