MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TaurusStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
SHA3-384 hash: ef26a481b4430db1e902294c3f4371dad8a6df41419f8ea71e141021c6bb51d0a0c4640773c12c59eb002b89b3e55e0b
SHA1 hash: 345fba0f611a59ddd30a8c87f793a80fbf82c50e
MD5 hash: 91465c291a92591087e70caa0d4c3370
humanhash: alpha-johnny-hawaii-fanta
File name:KY6mW.exe
Download: download sample
Signature TaurusStealer
Create hunting rule
File size:963'088 bytes
First seen:2020-07-23 15:15:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 24576:CQBfhmRb7HkxOYnBUvYgOhtfZqyk7nw5rdcqRgpKtj:CQBpbPgB3Yx
Threatray 12 similar samples on MalwareBazaar
TLSH FF250112A6E49C11EDE0877615FCC2836633BC705AF4C176E29A39FD49B4730E5273AA
Reporter James_inthe_box
Tags:exe TaurusStealer

Code Signing Certificate

Organisation:F.lux Software LLC
Issuer:COMODO RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Apr 30 00:00:00 2018 GMT
Valid to:Apr 29 23:59:59 2021 GMT
Serial number: 22367DBEFD0A325C3893AF52547B14FA
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: B5CB5B256E47A30504392C37991E4EFC4CE838FDE4AD8DF47456D30B417E6D5C
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31847/
Detection(s):
PUA.Win.Adware.Browsefox-6628766-0
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Qjwmonkey-6892535-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.MSIL.Krypt.11.1240.9175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Delayed writing of the file
Launching a process
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Forced shutdown of a system process
Result
Threat name:
Taurus Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/396496
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 250526 Sample: KY6mW.exe Startdate: 24/07/2020 Architecture: WINDOWS Score: 88 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Taurus Stealer 2->53 55 Uses ping.exe to sleep 2->55 57 2 other signatures 2->57 10 KY6mW.exe 1 6 2->10         started        13 rundll32.exe 2->13         started        process3 file4 37 C:\Users\user\AppData\Local\...\kZfZB.com, COM 10->37 dropped 15 cmd.exe 2 10->15         started        process5 signatures6 63 Uses ping.exe to sleep 15->63 18 smss.com 15->18         started        20 PING.EXE 1 15->20         started        23 certutil.exe 2 15->23         started        25 2 other processes 15->25 process7 dnsIp8 27 smss.com 18->27         started        39 127.0.0.1 unknown unknown 20->39 process9 dnsIp10 41 Pp.Pp 27->41 59 Writes to foreign memory regions 27->59 61 Maps a DLL or memory area into another process 27->61 31 TapiUnattend.exe 12 27->31         started        signatures11 process12 dnsIp13 43 infocorp.site 104.27.188.216, 443, 49734 CLOUDFLARENETUS United States 31->43 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->45 47 Tries to steal Mail credentials (via file access) 31->47 49 Tries to harvest and steal browser information (history, passwords, etc) 31->49 35 WerFault.exe 27 10 31->35         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42/
Threat name:
Win32.Trojan.Rotaderp
Create hunting rule
Status:
Malicious
First seen:
2020-07-23 15:14:55 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnwcedwtpi3xdl5vidt3cf425jsrdhlohwur2vnpp5sz6ykud5ba._file
Verdict:
unknown
Similar samples:
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
TaurusStealer
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
TaurusStealer
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928
TaurusStealer
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
TaurusStealer
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
TaurusStealer
94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
TaurusStealer
c6a810bf84ea3fd17a282d2a10bec7811c79ff751d5dbcf9eb84cff95f1fd5ba
TaurusStealer
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
TaurusStealer
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
TaurusStealer
e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4
TaurusStealer
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200723-skv75j6vgs/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Adds Run key to start application
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/31847/

Comments