Overview

overview

10

Static

static

Catelog.jpg.exe

windows7-x64

8

Catelog.jpg.exe

windows10-2004-x64

8

Samples.jpg.exe

windows7-x64

10

Samples.jpg.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7515891da490d8fb807fa68ea40e27d0fb25a111c17b5a06cafe770f74c51599

  • Size

    504KB

  • Sample

    221001-2jhfssadb8

  • MD5

    749a018673aeac371129013ea0f0f300

  • SHA1

    ce8c6c7d0eee7440a3326fdaecc38408b64948f4

  • SHA256

    7515891da490d8fb807fa68ea40e27d0fb25a111c17b5a06cafe770f74c51599

  • SHA512

    9ce409586b8de7d694c2e2409986c3b98153a2a7a6b7ef7ede422a3270232f19db929f7ec642ea719877bef6f20e0afa3ceeef86c9eb29c93b62c25c652f25ec

  • SSDEEP

    6144:BVz7FWvZ7f1szXE3jM/4vPc1kH6wMG5a9T/iNJI+c8ItCslNlnzYdmcdlgXC60xo:/zhw7fDjhHPMGxJfICslMmcdlgeTmDH

Score
10/10
isrstealercollectionpersistencestealertrojanupx

Malware Config

Targets

    • Target

      Catelog.jpg.exe

    • Size

      123KB

    • MD5

      458a2379358ae7cdd5a47059277338ca

    • SHA1

      c3753cfa681d226b772a3ab6bc462a5c29791fa0

    • SHA256

      d954de23f8e04cff445b91436fdaf60b05c18e115c3dda8afce8460d72fb1fa7

    • SHA512

      fe182750f864b963f5ca970013bf5003dd108c7e7d69c981d9b8779b8276727b464fd5a1978dffd68e9e52e809bf7ce23206114d58f6aba3d87d4e8b5d768705

    • SSDEEP

      3072:wJQ8sYDCBvQTYMGWdQUkv2Gc1eGktXENiTRWnTuX8Wr:yERqTfGDHv+DvoTROTu

    Score
    8/10
    persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Samples.jpg.exe

    • Size

      392KB

    • MD5

      d4bb706e3e461f1ccf390fc2fc786faf

    • SHA1

      94b8dee04b501862d4b66f376a806ccaaebb4122

    • SHA256

      ac2cfb961139a24edca708958b6f6a72666f3f711696065435fcf169bee64a56

    • SHA512

      384a5639ed3e9074600430183634ba7bd52b26190041241012970e164dc6f08e6b4eef5f8d4ba9ab4ff79ad01cd08ed93e7f7e0b62662a5cce80fb2b80dee3cb

    • SSDEEP

      12288:xZNq9Q5uxGnhiqti9tb/eT3BK/AMKEOL+:xua2GnUqtYyT8/xOL+

    Score
    10/10
    isrstealercollectionpersistencestealertrojanupx

    • ISR Stealer

      ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

      trojanstealerisrstealer

    • ISR Stealer payload

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Nirsoft

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks