Analysis
-
max time kernel
46s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 23:22
Static task
static1
Behavioral task
behavioral1
Sample
2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe
Resource
win10v2004-20220901-en
General
-
Target
2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe
-
Size
300KB
-
MD5
6cf643e295d84b5197d51c5a1fd23149
-
SHA1
023faa8a7269e7d5dd2ca235c907e9f9f5d940da
-
SHA256
2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8
-
SHA512
4b41a5a7d66996a7ab3ab622de66257278002a171de1b3904ecfd1d85ba4ff8e9cd98a6fdfb64a56107f87d8e9c356affbfad7cfb099a92937147340ae2ff04a
-
SSDEEP
6144:FOBTAUpS671v8nHNW4SL6+W6y5L3N/BC5SgbjXBy3:FOBTPlhqtWVL6+CpQ55XBw
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 3 IoCs
resource yara_rule behavioral1/memory/1844-60-0x00000000000C0000-0x0000000000102000-memory.dmp family_isrstealer behavioral1/memory/1844-63-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/1844-64-0x00000000000C0000-0x0000000000102000-memory.dmp family_isrstealer -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1308 set thread context of 1844 1308 2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe 27 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1308 2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1308 2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1308 wrote to memory of 1844 1308 2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe 27 PID 1308 wrote to memory of 1844 1308 2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe 27 PID 1308 wrote to memory of 1844 1308 2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe 27 PID 1308 wrote to memory of 1844 1308 2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe 27 PID 1308 wrote to memory of 1844 1308 2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe 27 PID 1308 wrote to memory of 1844 1308 2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe 27 PID 1308 wrote to memory of 1844 1308 2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe 27 PID 1308 wrote to memory of 1844 1308 2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe"C:\Users\Admin\AppData\Local\Temp\2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe"C:\Users\Admin\AppData\Local\Temp\2725f195a28405f562832d8c180aee96e410c4f715b45fa1de754cb5f80f36a8.exe"2⤵PID:1844
-