Overview

overview

10

Static

static

3

c1ffe666a1...19.exe

windows7-x64

10

c1ffe666a1...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2023 03:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1ffe666a1dfdb35dc3c5d4297025d19.exe

  • Size

    368KB

  • MD5

    c1ffe666a1dfdb35dc3c5d4297025d19

  • SHA1

    47ccdd6630e0ca19c2da66d7afe79f8f85a60b5d

  • SHA256

    403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0

  • SHA512

    18a05d479674d54bb9d1439c7ace24e24caf32ef750c85cefd66b94039d33c4f1c7cd46cbf26f5310e316b35fec1e4e358af51f2fbde5d74451e831bf2acdf36

  • SSDEEP

    6144:DRAuog7deUAjpXZii1urqy4FVRO4lqaGClZFpRQwg5iwatmzZ/pPQ0:bZCpkuS4FV9l0Cl7nxgtzZBQ0

Score
10/10
isrstealerspywarestealertrojan

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1ffe666a1dfdb35dc3c5d4297025d19.exe
    "C:\Users\Admin\AppData\Local\Temp\c1ffe666a1dfdb35dc3c5d4297025d19.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe"
      2⤵
      • Executes dropped EXE
      PID:1200
    • C:\Users\Admin\AppData\Local\Temp\006.exe
      "C:\Users\Admin\AppData\Local\Temp\006.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Users\Admin\AppData\Local\Temp\006.exe
        "C:\Users\Admin\AppData\Local\Temp\006.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\006.exe
    Filesize

    168KB

    MD5

    e63538bc7a919c82168acde031f1d0f9

    SHA1

    ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

    SHA256

    0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

    SHA512

    cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
    Filesize

    396KB

    MD5

    c4efbd75828df685ab7e1740e7bcd157

    SHA1

    687710f3569b294645aa026acdf78106c3d38e2c

    SHA256

    2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

    SHA512

    6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

    Download Submit

  • memory/1200-30-0x0000000074C80000-0x0000000075231000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1200-35-0x0000000000E10000-0x0000000000E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1200-23-0x0000000074C80000-0x0000000075231000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1200-24-0x0000000000E10000-0x0000000000E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1200-46-0x0000000000E10000-0x0000000000E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1200-45-0x0000000000E10000-0x0000000000E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1200-21-0x0000000074C80000-0x0000000075231000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1200-32-0x0000000000E10000-0x0000000000E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1200-33-0x0000000074C80000-0x0000000075231000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1200-44-0x0000000000E10000-0x0000000000E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1200-22-0x0000000000E10000-0x0000000000E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1200-43-0x0000000000E10000-0x0000000000E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1968-41-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1968-34-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1968-28-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1968-25-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download