Overview

overview

10

Static

static

537f1dcbcc...a5.exe

windows7-x64

10

537f1dcbcc...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 21:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    537f1dcbcce67bfd21fb5fe053dfd49dc6cbbc1efc09874b29f2cc4263f87ba5.exe

  • Size

    980KB

  • MD5

    61ec9f33042ed7a5dbcf2aa174f3641e

  • SHA1

    741ee7fd03da983bb934b8ee6c8c8c9f0d8cb0ff

  • SHA256

    537f1dcbcce67bfd21fb5fe053dfd49dc6cbbc1efc09874b29f2cc4263f87ba5

  • SHA512

    f68a7c356465f6bad55b6854870a8af46c67cde4251780abe2025721d2478ebbfede3bd84280eccc27553f8231e6028dc0f53aa0e3165df50950c4be412868f6

  • SSDEEP

    12288:h2Ux5zpQmdTO3rlj/NSQPNE7bKVUW0IKvCnR77QV/VVvuFZFQW0xY38:EUxlTglJSQp90IcCnRMwZFQ8

Score
10/10
isrstealerstealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\537f1dcbcce67bfd21fb5fe053dfd49dc6cbbc1efc09874b29f2cc4263f87ba5.exe
    "C:\Users\Admin\AppData\Local\Temp\537f1dcbcce67bfd21fb5fe053dfd49dc6cbbc1efc09874b29f2cc4263f87ba5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4436
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
        3⤵
          PID:4092

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp.ini
      Filesize

      5B

      MD5

      d1ea279fb5559c020a1b4137dc4de237

      SHA1

      db6f8988af46b56216a6f0daf95ab8c9bdb57400

      SHA256

      fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

      SHA512

      720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

      Download Submit

    • memory/4092-140-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4092-142-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4092-144-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4092-145-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4436-134-0x0000000000400000-0x000000000048D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4436-143-0x0000000000400000-0x000000000048D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4436-147-0x0000000000400000-0x000000000048D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4800-132-0x0000000074940000-0x0000000074EF1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4800-137-0x0000000074940000-0x0000000074EF1000-memory.dmp

      Filesize

      5.7MB

      Download