isrstealer | 1db44426b666ece25c1b9341edefb81655a2dac2ea3016a8a4cd868742d1cc0e

General

Target

Demurrage/Demurragefees.exe
Size

762KB
MD5

1c4dbd755e7ba59d2a4ce457f09f755b
SHA1

80b81ba84a6a507c241f5a99e34153fab47d3f0b
SHA256

3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4
SHA512

55a509c9a3be54093b13409da0f7720932e5eb9fab3d6322bcdef0755584aff10224bc98b4ae3db68261900e9a56359416cc0cffde429c0d0cf09fdccd07c90d

Score

10^/10

isrstealer stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer Payload 4 IoCs

resource	yara_rule
behavioral4/memory/5008-133-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral4/memory/5008-137-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral4/memory/5008-143-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral4/memory/5008-149-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Executes dropped EXE 3 IoCs

pid	Process
5008	svhost.exe
2948	svhost.exe
4820	svhost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Demurragefees.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Demurragefees.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4044 set thread context of 5008	4044	Demurragefees.exe	80
PID 5008 set thread context of 2948	5008	svhost.exe	81
PID 5008 set thread context of 4820	5008	svhost.exe	87

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Demurragefees.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Demurragefees.exe
File opened for modification	C:\Windows\assembly	Demurragefees.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3020	2948	WerFault.exe	81
2136	2948	WerFault.exe	81
2120	4820	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe
4044	Demurragefees.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	Demurragefees.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5008	svhost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3448	4044	Demurragefees.exe	78
PID 4044 wrote to memory of 3448	4044	Demurragefees.exe	78
PID 4044 wrote to memory of 3448	4044	Demurragefees.exe	78
PID 4044 wrote to memory of 5008	4044	Demurragefees.exe	80
PID 4044 wrote to memory of 5008	4044	Demurragefees.exe	80
PID 4044 wrote to memory of 5008	4044	Demurragefees.exe	80
PID 4044 wrote to memory of 5008	4044	Demurragefees.exe	80
PID 4044 wrote to memory of 5008	4044	Demurragefees.exe	80
PID 4044 wrote to memory of 5008	4044	Demurragefees.exe	80
PID 4044 wrote to memory of 5008	4044	Demurragefees.exe	80
PID 5008 wrote to memory of 2948	5008	svhost.exe	81
PID 5008 wrote to memory of 2948	5008	svhost.exe	81
PID 5008 wrote to memory of 2948	5008	svhost.exe	81
PID 5008 wrote to memory of 2948	5008	svhost.exe	81
PID 5008 wrote to memory of 2948	5008	svhost.exe	81
PID 5008 wrote to memory of 2948	5008	svhost.exe	81
PID 5008 wrote to memory of 2948	5008	svhost.exe	81
PID 5008 wrote to memory of 2948	5008	svhost.exe	81
PID 5008 wrote to memory of 4820	5008	svhost.exe	87
PID 5008 wrote to memory of 4820	5008	svhost.exe	87
PID 5008 wrote to memory of 4820	5008	svhost.exe	87
PID 5008 wrote to memory of 4820	5008	svhost.exe	87
PID 5008 wrote to memory of 4820	5008	svhost.exe	87
PID 5008 wrote to memory of 4820	5008	svhost.exe	87
PID 5008 wrote to memory of 4820	5008	svhost.exe	87
PID 5008 wrote to memory of 4820	5008	svhost.exe	87

C:\Users\Admin\AppData\Local\Temp\Demurrage\Demurragefees.exe
"C:\Users\Admin\AppData\Local\Temp\Demurrage\Demurragefees.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  PID:3448
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\H2ztVcdySU.ini"
    3⤵
    - Executes dropped EXE
    PID:2948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 88
      4⤵
      Program crash
      PID:3020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 96
      4⤵
      Program crash
      PID:2136
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\9jfkxI4ICC.ini"
    3⤵
    - Executes dropped EXE
    PID:4820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 80
      4⤵
      Program crash
      PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2948 -ip 2948
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2948 -ip 2948
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4820 -ip 4820
1⤵
PID:676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
memory/4044-144-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4044-130-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4044-145-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/5008-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing