Overview

overview

10

Static

static

4e093ee100...ee.exe

windows7-x64

10

4e093ee100...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe

  • Size

    653KB

  • MD5

    6549791f95f9aef9b36bdc610e164544

  • SHA1

    100124afab447d183bfa86dcab523d9b5e8e0eff

  • SHA256

    4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee

  • SHA512

    2701d24098a89c96808ae23d22581f113abeb15c26c70eb85ecdd859e7ae1a1846f543f5ce7f1a6e066664a228cfe41c273aae9b7470a853fe35f459582131eb

  • SSDEEP

    12288:8yizl10AJba1TfklX/Sns/SF5lwEhTjRUC3so0bJ2OxNJ4xiJ48E:pEJbaZklKs/SrnJjR7sT76iJ

Score
10/10
isrstealerstealertrojan

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
    "C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
      C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
        C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
        3⤵
          PID:4064

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe.log
      Filesize

      128B

      MD5

      3d238ac6dd6710907edf2ad7893a0ed2

      SHA1

      b07aaeeb31bdc6e94097a254be088b092dc1fb68

      SHA256

      02d215d5b6ea166e6c4c4669547cbadecbb427d5baf394fbffc7ef374a967501

      SHA512

      c358aa68303aa99ebc019014b4c1fc2fbfa98733f1ea863bf78ca2b877dc5c610121115432d96504df9e43bdda637b067359b07228b6f129bc5ec9a01ed3ee24

      Download Submit

    • memory/3012-132-0x00007FFD1E740000-0x00007FFD1F176000-memory.dmp

      Filesize

      10.2MB

      Download

    • memory/4064-136-0x0000000000000000-mapping.dmp

      Download

    • memory/4064-137-0x00007FFD1E740000-0x00007FFD1F176000-memory.dmp

      Filesize

      10.2MB

      Download

    • memory/4236-133-0x0000000000000000-mapping.dmp

      Download

    • memory/4236-135-0x00007FFD1E740000-0x00007FFD1F176000-memory.dmp

      Filesize

      10.2MB

      Download