Malware Analysis Report

2025-01-18 16:49

Sample ID 220919-lazqqaecap
Target 27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678
SHA256 27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678
Tags
isrstealer collection spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678

Threat Level: Known bad

The file 27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678 was found to be: Known bad.

Malicious Activity Summary

isrstealer collection spyware stealer trojan upx

ISR Stealer payload

ISR Stealer

Nirsoft

NirSoft MailPassView

NirSoft WebBrowserPassView

UPX packed file

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-19 09:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-19 09:20

Reported

2022-09-19 13:44

Platform

win7-20220901-en

Max time kernel

43s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe

"C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe"

Network

Country Destination Domain Proto
NL 142.250.179.174:443 tcp
NL 142.251.36.3:443 tcp
NL 172.217.168.237:443 tcp
US 8.8.8.8:443 tcp
US 8.8.4.4:443 tcp
NL 142.250.179.131:443 tcp
NL 216.58.214.10:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-19 09:20

Reported

2022-09-19 13:45

Platform

win10v2004-20220812-en

Max time kernel

78s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4932 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4932 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4932 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4932 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4932 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4932 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4932 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4964 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe
PID 4696 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe

Processes

C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe

"C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe"

C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe

"C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe"

C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe

"C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe"

C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe

"C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp

C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe

"C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp

C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe

"C:\Users\Admin\AppData\Local\Temp\27f122cbad61ec92dce9451d3b62b97d648d7f7d4ee5d3c763652602f2215678.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp

Network

Country Destination Domain Proto
US 8.253.208.121:80 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 st.itprosolutions.org udp
US 13.89.179.8:443 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp

Files

memory/4964-132-0x0000000000000000-mapping.dmp

memory/4964-133-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4696-137-0x0000000000000000-mapping.dmp

memory/4696-138-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4696-139-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4696-140-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2628-141-0x0000000000000000-mapping.dmp

memory/2628-142-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1380-144-0x0000000000000000-mapping.dmp

memory/2628-146-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1380-145-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4608-148-0x0000000000000000-mapping.dmp

memory/4608-149-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1380-150-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4696-154-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4608-155-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1380-153-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4608-152-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4964-156-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1380-157-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1380-158-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4608-159-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2628-160-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1380-161-0x0000000000400000-0x0000000000426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data.dmp

MD5 c10dbeca73f8835240e08e4511284b83
SHA1 0032f8f941cc07768189ca6ba32b1beede6b6917
SHA256 0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e
SHA512 34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967

memory/4964-163-0x0000000000400000-0x0000000000470000-memory.dmp