Overview

overview

10

Static

static

3848e61897...b4.exe

windows7_x64

10

3848e61897...b4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    94s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-06-2022 23:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe

  • Size

    762KB

  • MD5

    1c4dbd755e7ba59d2a4ce457f09f755b

  • SHA1

    80b81ba84a6a507c241f5a99e34153fab47d3f0b

  • SHA256

    3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4

  • SHA512

    55a509c9a3be54093b13409da0f7720932e5eb9fab3d6322bcdef0755584aff10224bc98b4ae3db68261900e9a56359416cc0cffde429c0d0cf09fdccd07c90d

Score
10/10
isrstealerspywarestealersuricatatrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer Payload 5 IoCs
  • suricata: ET MALWARE ISRStealer Checkin

    suricata: ET MALWARE ISRStealer Checkin

    suricata
  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe
    "C:\Users\Admin\AppData\Local\Temp\3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
        PID:452
      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3392
        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\5tSJpxgezC.ini"
          3⤵
          • Executes dropped EXE
          PID:2364
        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\Y3ysOYeewZ.ini"
          3⤵
          • Executes dropped EXE
          PID:1584
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 80
            4⤵
            • Program crash
            PID:4964
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1584 -ip 1584
      1⤵
        PID:3552

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\5tSJpxgezC.ini
        Filesize

        5B

        MD5

        d1ea279fb5559c020a1b4137dc4de237

        SHA1

        db6f8988af46b56216a6f0daf95ab8c9bdb57400

        SHA256

        fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

        SHA512

        720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        Filesize

        1.6MB

        MD5

        1c9ff7df71493896054a91bee0322ebf

        SHA1

        38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

        SHA256

        e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

        SHA512

        aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        Filesize

        1.6MB

        MD5

        1c9ff7df71493896054a91bee0322ebf

        SHA1

        38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

        SHA256

        e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

        SHA512

        aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        Filesize

        1.6MB

        MD5

        1c9ff7df71493896054a91bee0322ebf

        SHA1

        38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

        SHA256

        e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

        SHA512

        aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        Filesize

        1.6MB

        MD5

        1c9ff7df71493896054a91bee0322ebf

        SHA1

        38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

        SHA256

        e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

        SHA512

        aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

        Download Submit

      • memory/2364-148-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download

      • memory/2364-145-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download

      • memory/2364-146-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download

      • memory/2364-142-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download

      • memory/2364-152-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download

      • memory/3392-151-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3392-134-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3392-138-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3392-147-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3392-156-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/4920-130-0x00000000751C0000-0x0000000075771000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4920-150-0x00000000751C0000-0x0000000075771000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4920-132-0x00000000751C0000-0x0000000075771000-memory.dmp

        Filesize

        5.7MB

        Download