isrstealer | 0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-05-2022 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
Size

439KB
MD5

066d70aad37e93ff30dfea3cd49ccc79
SHA1

0de81c392d9eaa47c2a42e2ea8e0cc33519448b8
SHA256

0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5
SHA512

8d53f0c36c0207ac1cfffee70d6070a24d47bf5e7f5c93d1d21eb6a2f931b08c6680ecb78c4e3c47d5e35737d35363837942c9f42321693059dce84a0008e587

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer Payload 4 IoCs

resource	yara_rule
behavioral2/memory/1948-136-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1948-140-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1948-151-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1948-165-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3424-158-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3424-159-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3424-160-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/3424-158-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3424-159-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3424-160-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
1948	svhost.exe
2828	svhost.exe
3424	svhost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2828-145-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2828-148-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2828-149-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2828-150-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3424-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3424-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3424-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3424-159-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3424-160-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svhost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4668 set thread context of 1948	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe	83
PID 1948 set thread context of 2828	1948	svhost.exe	84
PID 1948 set thread context of 3424	1948	svhost.exe	89

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
File created	C:\Windows\assembly\Desktop.ini	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1948	svhost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4636	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe	80
PID 4668 wrote to memory of 4636	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe	80
PID 4668 wrote to memory of 4636	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe	80
PID 4636 wrote to memory of 456	4636	cmd.exe	82
PID 4636 wrote to memory of 456	4636	cmd.exe	82
PID 4636 wrote to memory of 456	4636	cmd.exe	82
PID 4668 wrote to memory of 1948	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe	83
PID 4668 wrote to memory of 1948	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe	83
PID 4668 wrote to memory of 1948	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe	83
PID 4668 wrote to memory of 1948	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe	83
PID 4668 wrote to memory of 1948	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe	83
PID 4668 wrote to memory of 1948	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe	83
PID 4668 wrote to memory of 1948	4668	0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe	83
PID 1948 wrote to memory of 2828	1948	svhost.exe	84
PID 1948 wrote to memory of 2828	1948	svhost.exe	84
PID 1948 wrote to memory of 2828	1948	svhost.exe	84
PID 1948 wrote to memory of 2828	1948	svhost.exe	84
PID 1948 wrote to memory of 2828	1948	svhost.exe	84
PID 1948 wrote to memory of 2828	1948	svhost.exe	84
PID 1948 wrote to memory of 2828	1948	svhost.exe	84
PID 1948 wrote to memory of 2828	1948	svhost.exe	84
PID 1948 wrote to memory of 3424	1948	svhost.exe	89
PID 1948 wrote to memory of 3424	1948	svhost.exe	89
PID 1948 wrote to memory of 3424	1948	svhost.exe	89
PID 1948 wrote to memory of 3424	1948	svhost.exe	89
PID 1948 wrote to memory of 3424	1948	svhost.exe	89
PID 1948 wrote to memory of 3424	1948	svhost.exe	89
PID 1948 wrote to memory of 3424	1948	svhost.exe	89
PID 1948 wrote to memory of 3424	1948	svhost.exe	89

C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe
"C:\Users\Admin\AppData\Local\Temp\0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
    3⤵
    PID:456
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\lJwfLZJKJA.ini"
    3⤵
    - Executes dropped EXE
    PID:2828
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\xyu2yhbVAT.ini"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    PID:3424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
439KB

MD5
066d70aad37e93ff30dfea3cd49ccc79

SHA1
0de81c392d9eaa47c2a42e2ea8e0cc33519448b8

SHA256
0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5

SHA512
8d53f0c36c0207ac1cfffee70d6070a24d47bf5e7f5c93d1d21eb6a2f931b08c6680ecb78c4e3c47d5e35737d35363837942c9f42321693059dce84a0008e587

Download Submit
C:\Users\Admin\AppData\Local\Temp\lJwfLZJKJA.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
memory/1948-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-165-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2828-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-148-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-149-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-150-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3424-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3424-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3424-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3424-160-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3424-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4668-130-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4668-134-0x0000000074160000-0x0000000074C60000-memory.dmp

Filesize
11.0MB

Download
memory/4668-161-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4668-162-0x00000000738D0000-0x0000000074078000-memory.dmp

Filesize
7.7MB

Download
memory/4668-163-0x0000000074160000-0x0000000074C60000-memory.dmp

Filesize
11.0MB

Download
memory/4668-164-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4668-142-0x00000000738D0000-0x0000000074078000-memory.dmp

Filesize
7.7MB

Download