The GlorySprout or a Failed Clone of Taurus Stealer – RussianPanda Research Blog
Tags
attack-pattern: Data Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Scheduled Task - T1053
Show in Graph
Common Information
Type Value
UUID b8d9384f-4c5d-4ff7-b0f6-7f5bd5df7816
Fingerprint 24e2f95000a71f91
Analysis status DONE
Considered CTI value 2
Text language
Published March 16, 2024, 12:01 p.m.
Added to db Aug. 31, 2024, 8:07 a.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline Case Study
Title The GlorySprout or a Failed Clone of Taurus Stealer – RussianPanda Research Blog
Detected Hints/Tags/Attributes 48/1/24
Source URLs
Redirection Url
Details Source https://russianpanda.com/The-GlorySprout-Stealer-or-a-Failed-Clone-of-Taurus-Stealer
Details Redirection https://russianpanda95.github.io/The-GlorySprout-Stealer-or-a-Failed-Clone-of-Taurus-Stealer
URL Provider
Details Provider Source level domain
Details github.io russianpanda95.github.io
Details russianpanda.com russianpanda.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 219 RussianPanda Research Blog https://russianpanda.com/feed.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 707 
google.com
Details Domain 5 
fumik0.com
Details Domain 10 
outpost24.com
Details Domain 4127 
github.com
Details File 185 
shell32.dll
Details File 291 
user32.dll
Details File 86 
ole32.dll
Details File 83 
crypt32.dll
Details File 229 
advapi32.dll
Details File 6 
ktmw32.dll
Details File 146 
wininet.dll
Details File 2125 
cmd.exe
Details File 409 
c:\windows\system32\cmd.exe
Details File 1 
c:\users\username\desktop\payload.exe
Details File 3 
forms.txt
Details Github username 5 
russianpanda95
Details md5 1 
3952a294b831e8738f70c2caea5e0559
Details md5 1 
d295c4f639d581851aea8fbcc1ea0989
Details IPv4 1 
147.78.103.197
Details IPv4 1 
45.138.16.167
Details Url 1 
https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief
Details Url 2 
https://outpost24.com/blog/an-in-depth-analysis-of-the-new-taurus-stealer
Details Url 1 
https://github.com/russianpanda95/yara-rules/blob/main/glorysprout/win_mal_glorysprout_stealer.yar
Details Yara rule 1 
rule win_mal_GlorySprout_Stealer {
	meta:
		author = "RussianPanda"
		description = "Detects GlorySprout Stealer"
		date = "3/16/2024"
		hash = "8996c252fc41b7ec0ec73ce814e84136be6efef898822146c25af2330f4fd04a"
	strings:
		$s1 = { 25 0F 00 00 80 79 05 48 83 C8 F0 40 }
		$s2 = { 8B 82 A4 00 00 00 8B F9 89 06 8D 4E 0C 8B 82 A8 00 00 00 89 46 04 0F B7 92 AC 00 00 00 89 56 08 }
		$s3 = { 0F B6 06 C1 E7 04 03 F8 8B C7 25 00 00 00 F0 74 0B C1 E8 18 }
	condition:
		uint16(0) == 0x5A4D and all of them and #s1 > 100
}