Analysis Overview
SHA256
3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507
Threat Level: Known bad
The file 3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer
ISR Stealer Payload
suricata: ET MALWARE ISRStealer Checkin
Nirsoft
NirSoft MailPassView
UPX packed file
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 04:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 04:20
Reported
2022-06-21 04:23
Platform
win7-20220414-en
Max time kernel
39s
Max time network
55s
Command Line
Signatures
ISR Stealer
ISR Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
suricata: ET MALWARE ISRStealer Checkin
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1664 set thread context of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe |
| PID 1716 set thread context of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe |
| PID 1716 set thread context of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
"C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe"
C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\STeuSlCJQb.ini"
C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\8TDgKgVOrU.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dogrusu.net | udp |
| US | 64.32.8.67:80 | dogrusu.net | tcp |
| US | 8.8.8.8:53 | ww4.dogrusu.net | udp |
| US | 199.59.243.220:80 | ww4.dogrusu.net | tcp |
Files
memory/1664-56-0x0000000000400000-0x0000000000500000-memory.dmp
memory/1664-57-0x0000000000330000-0x0000000000390000-memory.dmp
memory/1664-58-0x00000000035F0000-0x00000000036F0000-memory.dmp
memory/1664-59-0x00000000035F0000-0x00000000036F0000-memory.dmp
memory/1716-60-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1716-61-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1716-63-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1716-67-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1716-69-0x0000000000401180-mapping.dmp
memory/1664-71-0x0000000000400000-0x0000000000500000-memory.dmp
memory/1664-72-0x0000000000330000-0x0000000000390000-memory.dmp
memory/1720-75-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1720-76-0x00000000004512E0-mapping.dmp
memory/1720-78-0x00000000754A1000-0x00000000754A3000-memory.dmp
memory/1720-79-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1720-80-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1716-81-0x0000000002760000-0x0000000002860000-memory.dmp
memory/1720-82-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1720-83-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\STeuSlCJQb.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/1968-87-0x000000000041C410-mapping.dmp
memory/1968-86-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1968-90-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1968-91-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1968-92-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1716-93-0x00000000033D0000-0x00000000034D0000-memory.dmp
memory/1716-94-0x0000000002760000-0x0000000002860000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-21 04:20
Reported
2022-06-21 04:22
Platform
win10v2004-20220414-en
Max time kernel
90s
Max time network
154s
Command Line
Signatures
ISR Stealer
ISR Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
suricata: ET MALWARE ISRStealer Checkin
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4504 set thread context of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe |
| PID 952 set thread context of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe |
| PID 952 set thread context of 4552 | N/A | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
"C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe"
C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\z8vMLLjxkt.ini"
C:\Users\Admin\AppData\Local\Temp\3058eb48fda7e64b10a9a95621daf6ee4b2780ba55c955e5ad27c2ffbc13c507.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\j8n9Hp98RC.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dogrusu.net | udp |
| US | 64.32.8.67:80 | dogrusu.net | tcp |
| US | 8.8.8.8:53 | ww4.dogrusu.net | udp |
| US | 199.59.243.220:80 | ww4.dogrusu.net | tcp |
| BE | 67.27.154.126:80 | tcp | |
| US | 20.42.65.89:443 | tcp | |
| BE | 67.27.154.126:80 | tcp | |
| BE | 67.27.154.126:80 | tcp | |
| BE | 67.27.154.126:80 | tcp |
Files
memory/4504-130-0x0000000000400000-0x0000000000500000-memory.dmp
memory/4504-133-0x00000000022F0000-0x0000000002350000-memory.dmp
memory/4504-134-0x0000000003B30000-0x0000000003C30000-memory.dmp
memory/4504-135-0x0000000003B30000-0x0000000003C30000-memory.dmp
memory/952-136-0x0000000000000000-mapping.dmp
memory/952-137-0x0000000000400000-0x0000000000442000-memory.dmp
memory/952-139-0x0000000000400000-0x0000000000442000-memory.dmp
memory/952-141-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4504-142-0x0000000000400000-0x0000000000500000-memory.dmp
memory/4504-143-0x00000000022F0000-0x0000000002350000-memory.dmp
memory/1844-146-0x0000000000000000-mapping.dmp
memory/1844-147-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1844-149-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1844-150-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1844-151-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\z8vMLLjxkt.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/4552-153-0x0000000000000000-mapping.dmp
memory/4552-154-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4552-156-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4552-157-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4552-158-0x0000000000400000-0x000000000041F000-memory.dmp