Malware Analysis Report

2025-01-18 16:48

Sample ID 220616-dq98dsccc5
Target 27d0d28bfd7016b70a64b54b3ac8ae1e3d0823fc9d81d3e2677a07ad39a91311
SHA256 27d0d28bfd7016b70a64b54b3ac8ae1e3d0823fc9d81d3e2677a07ad39a91311
Tags
isrstealer stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27d0d28bfd7016b70a64b54b3ac8ae1e3d0823fc9d81d3e2677a07ad39a91311

Threat Level: Known bad

The file 27d0d28bfd7016b70a64b54b3ac8ae1e3d0823fc9d81d3e2677a07ad39a91311 was found to be: Known bad.

Malicious Activity Summary

isrstealer stealer trojan

ISR Stealer

ISR Stealer Payload

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-16 03:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-16 03:13

Reported

2022-06-16 03:46

Platform

win7-20220414-en

Max time kernel

31s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order.scr" /S

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1172 set thread context of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order.scr N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1172 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1172 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1172 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1172 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1172 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1172 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1172 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1172 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1172 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1172 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\order.scr

"C:\Users\Admin\AppData\Local\Temp\order.scr" /S

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

N/A

Files

memory/1172-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

memory/1172-55-0x0000000074230000-0x00000000747DB000-memory.dmp

memory/1172-56-0x0000000074230000-0x00000000747DB000-memory.dmp

memory/1836-58-0x0000000000090000-0x00000000000D2000-memory.dmp

memory/1172-60-0x0000000074230000-0x00000000747DB000-memory.dmp

memory/1172-61-0x00000000022F6000-0x0000000002307000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-16 03:13

Reported

2022-06-16 03:46

Platform

win10v2004-20220414-en

Max time kernel

145s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order.scr" /S

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3480 set thread context of 3812 N/A C:\Users\Admin\AppData\Local\Temp\order.scr C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order.scr N/A

Processes

C:\Users\Admin\AppData\Local\Temp\order.scr

"C:\Users\Admin\AppData\Local\Temp\order.scr" /S

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 67.24.25.254:80 tcp
US 67.24.25.254:80 tcp
US 20.189.173.6:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/3480-130-0x0000000074A20000-0x0000000074FD1000-memory.dmp

memory/3480-131-0x0000000074A20000-0x0000000074FD1000-memory.dmp

memory/3812-132-0x0000000000000000-mapping.dmp

memory/3812-134-0x0000000000610000-0x0000000000652000-memory.dmp

memory/3480-136-0x0000000074A20000-0x0000000074FD1000-memory.dmp