Malware Analysis Report

2025-01-18 16:49

Sample ID 221004-b6ncfsgacn
Target 862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25
SHA256 862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25
Tags
isrstealer spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25

Threat Level: Known bad

The file 862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25 was found to be: Known bad.

Malicious Activity Summary

isrstealer spyware stealer trojan upx

ISR Stealer

ISR Stealer payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-04 01:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-04 01:45

Reported

2022-10-04 10:59

Platform

win7-20220812-en

Max time kernel

57s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\talking.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\talking.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1672 set thread context of 1500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\talking.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1736 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1736 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1736 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1672 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1672 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1672 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1672 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1672 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1672 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1672 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1672 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 1672 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe

Processes

C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe

"C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe"

C:\Users\Admin\AppData\Local\Temp\talking.exe

"C:\Users\Admin\AppData\Local\Temp\talking.exe"

C:\Users\Admin\AppData\Local\Temp\talking.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\KtLxufi9l7.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ronald.uphero.com udp
US 153.92.0.100:80 ronald.uphero.com tcp
US 8.8.8.8:53 www.000webhost.com udp

Files

\Users\Admin\AppData\Local\Temp\talking.exe

MD5 ad1d36fffa782a1807f7258d82d6dc1f
SHA1 c871c0daed368cfe12a6b1fd2dddd1ffcc895927
SHA256 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3
SHA512 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4

\Users\Admin\AppData\Local\Temp\talking.exe

MD5 ad1d36fffa782a1807f7258d82d6dc1f
SHA1 c871c0daed368cfe12a6b1fd2dddd1ffcc895927
SHA256 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3
SHA512 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4

memory/1672-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\talking.exe

MD5 ad1d36fffa782a1807f7258d82d6dc1f
SHA1 c871c0daed368cfe12a6b1fd2dddd1ffcc895927
SHA256 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3
SHA512 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4

\Users\Admin\AppData\Local\Temp\talking.exe

MD5 ad1d36fffa782a1807f7258d82d6dc1f
SHA1 c871c0daed368cfe12a6b1fd2dddd1ffcc895927
SHA256 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3
SHA512 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4

C:\Users\Admin\AppData\Local\Temp\talking.exe

MD5 ad1d36fffa782a1807f7258d82d6dc1f
SHA1 c871c0daed368cfe12a6b1fd2dddd1ffcc895927
SHA256 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3
SHA512 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4

memory/1500-62-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\talking.exe

MD5 ad1d36fffa782a1807f7258d82d6dc1f
SHA1 c871c0daed368cfe12a6b1fd2dddd1ffcc895927
SHA256 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3
SHA512 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4

memory/1500-63-0x00000000004512E0-mapping.dmp

memory/1500-66-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

memory/1500-67-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1500-68-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1500-69-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1500-70-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KtLxufi9l7.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-04 01:45

Reported

2022-10-04 10:59

Platform

win10v2004-20220812-en

Max time kernel

99s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\talking.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\talking.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2720 set thread context of 4500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\talking.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 3356 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 3356 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 2720 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 2720 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 2720 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 2720 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 2720 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 2720 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 2720 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe
PID 2720 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\talking.exe C:\Users\Admin\AppData\Local\Temp\talking.exe

Processes

C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe

"C:\Users\Admin\AppData\Local\Temp\862d2963fdda4c40ac84b0edfacb150d7b094aa8a00b748c5437274f7e61cb25.exe"

C:\Users\Admin\AppData\Local\Temp\talking.exe

"C:\Users\Admin\AppData\Local\Temp\talking.exe"

C:\Users\Admin\AppData\Local\Temp\talking.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\TfPaWISy2y.ini"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 ronald.uphero.com udp
US 153.92.0.100:80 ronald.uphero.com tcp
US 20.189.173.1:443 tcp
US 8.8.8.8:53 www.000webhost.com udp
US 104.19.184.120:443 www.000webhost.com tcp
US 104.19.185.120:443 www.000webhost.com tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

memory/2720-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\talking.exe

MD5 ad1d36fffa782a1807f7258d82d6dc1f
SHA1 c871c0daed368cfe12a6b1fd2dddd1ffcc895927
SHA256 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3
SHA512 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4

C:\Users\Admin\AppData\Local\Temp\talking.exe

MD5 ad1d36fffa782a1807f7258d82d6dc1f
SHA1 c871c0daed368cfe12a6b1fd2dddd1ffcc895927
SHA256 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3
SHA512 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4

memory/4500-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\talking.exe

MD5 ad1d36fffa782a1807f7258d82d6dc1f
SHA1 c871c0daed368cfe12a6b1fd2dddd1ffcc895927
SHA256 49782b9527eeb5e7babcae462b54b0b695f56aeef0ede37bd0b9fa81fd068ed3
SHA512 53bd0676388492a39e746dd5fc56cebc11b3a92d4de1b799e054b7ccc4548ed578ece0581fb3b9484d3ae5c650ce16a4494d7445bd602f38a2badc418dd5cfb4

memory/4500-141-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4500-144-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4500-145-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4500-146-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TfPaWISy2y.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3