MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3d0de327842dd2de91dea4ac6f9a710b1e97f57421200eae2415663651d60b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TaurusStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3d0de327842dd2de91dea4ac6f9a710b1e97f57421200eae2415663651d60b9
SHA3-384 hash: 68f216d108f458958025a20bc6a1075dab5963f14a186b8085b3812bc1d7997629a711c7ef275dc2fe8609bff521393a
SHA1 hash: 4cb59e23f295f7d58f47aae7dccff55d17269765
MD5 hash: 3e7fb15093287d6e06313027be35bf6d
humanhash: beryllium-tennis-skylark-earth
File name:3e7fb15093287d6e06313027be35bf6d.exe
Download: download sample
Signature TaurusStealer
Create hunting rule
File size:335'872 bytes
First seen:2021-01-20 14:08:34 UTC
Last seen:2021-01-20 15:53:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (265 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 6144:A+XcFFDKitHFI7AgZxTXQ9l5tMCL9hqptT8ZSCpA8Bgs:A+XSFDKylkvTQvcy9hG5iSCW
Threatray 34 similar samples on MalwareBazaar
TLSH 806412045D3DECEDCCD48976895B8ABBD4CE78E4EA025B413D0029EF3677BEA4661E04
Reporter abuse_ch
Tags:exe TaurusStealer


Avatar
abuse_ch
TaurusStealer C2:
http://195.2.74.126/cfg/

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e7fb15093287d6e06313027be35bf6d.exe
Verdict:
Malicious activity
Analysis date:
2021-01-20 14:15:34 UTC
Tags:
trojan taurus stealer predator
Link:
https://app.any.run/tasks/00c52d4d-8ab9-4c1e-abd2-1822d924153d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113095/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Containing strings that indicate a threat
Reading critical registry keys
Creating a file
Deleting a recently created file
Replacing files
Creating a window
DNS request
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Stealing user critical data
Sending a TCP request to an infection source
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/586215
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3d0de327842dd2de91dea4ac6f9a710b1e97f57421200eae2415663651d60b9/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-01-17 11:22:22 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4pin4mtyilos32i55jfmn6nhccy6s72xiijab2xciflggzi5mc4q._file
Verdict:
suspicious
Similar samples:
2348533bdaabfe1f6418b36fa8e3aa06beb2317636a4cb6b0248bd4a01e51f95
TaurusStealer
28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5
TaurusStealer
2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb
TaurusStealer
4938f6743d7631038c1bd6bed20e4c9e531c741a396316d9c7ea59a6d1972d86
TaurusStealer
64fff3054dcf99561ee55226eb011ac1b6e1d9c2af3f7938970d06b2925bbce8
TaurusStealer
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b
TaurusStealer
84f6fd5103bfa97b8479af5a6db82100149167690502bb0231e6832fc463af13
TaurusStealer
dc5f40f99496a7140ea7722698f2de741fb00845c7791d78ec0ba90fc4a04490
TaurusStealer
ebbf1f05b4ebc687893c9989688b139424d0fe6242ab490c7282b7bd6299c187
TaurusStealer
fd865a95aba368c5bef303415ae32e89141cc10b2455e5e9cba721a79bb3b78b
TaurusStealer
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery ransomware spyware stealer upx
Link:
https://tria.ge/reports/210120-fk5ywj29re/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
84cda602fc1b8d93e543db36cea5f491a4357fbd3ab3a62568bf6b3599e58882
MD5 hash:
b2046f6e8613796e9fa4d4b4dbdb5c30
SHA1 hash:
5d5c667388505fe2c1ad1a361b9dafd9aa3e5aec
Link:
https://www.unpac.me/results/7744e978-fe0c-4609-a267-c908725217ff/
SH256 hash:
6176e3689cddd382ca2cace934756bb8a1ccd355008b8ea6de6ab8ac61687a89
MD5 hash:
e701a129e85baed6fa17a33401ed0969
SHA1 hash:
2988fe844de8d88ce14e1218f425dba5ecd380f2
Link:
https://www.unpac.me/results/7744e978-fe0c-4609-a267-c908725217ff/
SH256 hash:
e3d0de327842dd2de91dea4ac6f9a710b1e97f57421200eae2415663651d60b9
MD5 hash:
3e7fb15093287d6e06313027be35bf6d
SHA1 hash:
4cb59e23f295f7d58f47aae7dccff55d17269765
Link:
https://www.unpac.me/results/7744e978-fe0c-4609-a267-c908725217ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3d0de327842dd2de91dea4ac6f9a710b1e97f57421200eae2415663651d60b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113095/

Comments