Overview

overview

10

Static

static

537f1dcbcc...a5.exe

windows7-x64

10

537f1dcbcc...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    537f1dcbcce67bfd21fb5fe053dfd49dc6cbbc1efc09874b29f2cc4263f87ba5.exe

  • Size

    980KB

  • MD5

    61ec9f33042ed7a5dbcf2aa174f3641e

  • SHA1

    741ee7fd03da983bb934b8ee6c8c8c9f0d8cb0ff

  • SHA256

    537f1dcbcce67bfd21fb5fe053dfd49dc6cbbc1efc09874b29f2cc4263f87ba5

  • SHA512

    f68a7c356465f6bad55b6854870a8af46c67cde4251780abe2025721d2478ebbfede3bd84280eccc27553f8231e6028dc0f53aa0e3165df50950c4be412868f6

  • SSDEEP

    12288:h2Ux5zpQmdTO3rlj/NSQPNE7bKVUW0IKvCnR77QV/VVvuFZFQW0xY38:EUxlTglJSQp90IcCnRMwZFQ8

Score
10/10
isrstealerstealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\537f1dcbcce67bfd21fb5fe053dfd49dc6cbbc1efc09874b29f2cc4263f87ba5.exe
    "C:\Users\Admin\AppData\Local\Temp\537f1dcbcce67bfd21fb5fe053dfd49dc6cbbc1efc09874b29f2cc4263f87ba5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
        3⤵
          PID:1776

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/468-56-0x0000000000400000-0x000000000048D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/468-57-0x0000000000400000-0x000000000048D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/468-59-0x0000000000400000-0x000000000048D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/468-61-0x0000000000400000-0x000000000048D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/468-74-0x0000000000400000-0x000000000048D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/1164-68-0x00000000740B0000-0x000000007465B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1164-55-0x00000000740B0000-0x000000007465B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1164-54-0x0000000075671000-0x0000000075673000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1776-71-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1776-72-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1776-66-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1776-73-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1776-75-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download