Analysis Overview
SHA256
1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967
Threat Level: Known bad
The file 1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer payload
Isrstealer family
UPX packed file
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-02 00:49
Signatures
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Isrstealer family
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-02 00:49
Reported
2022-10-02 03:40
Platform
win7-20220812-en
Max time kernel
37s
Max time network
46s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1916 set thread context of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe | C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe
"C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe"
C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\QJ324r2MXT.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t3rr0r.tk | udp |
Files
memory/1672-56-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1672-57-0x00000000004512E0-mapping.dmp
memory/1672-59-0x0000000075C51000-0x0000000075C53000-memory.dmp
memory/1672-60-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1672-61-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1672-62-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1672-63-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QJ324r2MXT.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-02 00:49
Reported
2022-10-02 03:40
Platform
win10v2004-20220812-en
Max time kernel
143s
Max time network
165s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4204 set thread context of 4480 | N/A | C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe | C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe
"C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe"
C:\Users\Admin\AppData\Local\Temp\1bd9af9ff9532592ea4f33725de90ec2c0a7b773cdb13c95a12e8acd26896967.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\HZhpWAKzEk.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t3rr0r.tk | udp |
| US | 13.89.179.8:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.238.20.126:80 | tcp |
Files
memory/4480-134-0x0000000000000000-mapping.dmp
memory/4480-135-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4480-137-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4480-138-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4480-139-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HZhpWAKzEk.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |